William Woodruff

1. Registering my dissatisfaction with GitHub

   Mini-post.

   Published Wed, Apr 29, 2026

2. Brocards for vulnerability triage

   I spend some of my hobby time doing vulnerability triage on open source projects. As part of that, I see (and filter through) a lot of nonsense1. Spam, “beg bounty” submissions, and increasingly zero-effort LLM submissions. ↩

   Published Sat, Apr 11, 2026

3. Some flexibility with Go’s sumdb

   I noticed this a year or two ago, but forgot to write it up back then.

   Published Mon, Dec 29, 2025

4. Dependency cooldowns, redux

   Three weeks ago I wrote about how we should all be using dependency cooldowns.

   Published Sat, Dec 13, 2025

5. We should all be using dependency cooldowns

   TL;DR: Dependency cooldowns are a free, easy, and incredibly effective way to mitigate the large majority of open source supply chain attacks. More individual projects should apply cooldowns (via tools like Dependabot and Renovate) to their dependencies, and packaging ecosystems should invest in first…

   Published Fri, Nov 21, 2025

6. Dear GitHub: no YAML anchors, please

   TL;DR: for a very long time, GitHub Actions lacked support for YAML anchors.

   Published Mon, Sep 22, 2025

7. One year of zizmor

   This is a dual purpose post: I’ve released zizmor v1.13.0, and zizmor has turned one year old1! It depends on how you count: zizmor’s first commit was roughly ↩

   Published Sun, Sep 14, 2025

8. Fun with finite state transducers

   I recently1 solved an interesting problem inside zizmor with a type of state machine/automaton I hadn’t used before: a finite state transducer (FST). A few months ago. ↩

   Published Thu, Aug 14, 2025

9. A new adventure

   This is a personal announcement post: after 7 years at Trail of Bits, I’m leaving to do something new. Specifically, I’ll be joining Astral to help them build the next generation of Python developer tooling.

   Published Tue, Jun 17, 2025

10. Bypassing GitHub Actions policies in the dumbest way possible

    TL;DR: GitHub Actions provides a policy mechanism for limiting the kinds of actions and reusable workflows that can be used within a repository, organization, or entire enterprise. Unfortunately, this mechanism is trivial to bypass. GitHub has told me that they don’t consider this a security issue (I…

    Published Wed, Jun 11, 2025