Sorry, but that statement doesn’t help anyone. There are two possibilities here:
- You are 100% certain that malicious actors were not able to access build runners. In that case you can state that and let your customers know builds created while the attack happened can be trusted.
- You can’t rule out that the attacker accessed build runners at this time. Even if you think you’ll have certainty a week from now, if you take security seriously you should tell customers to redo any builds from that period. Customers that have a semi-competent security team already have a process to do so; supplychain risks are not exactly a new thing.
Based on the vague statements published so far we’ve already assumed that builds created during the incident can’t be trusted, but it would be good to be more upfront about that.