Hi folks,
Not the most enjoyable news to receive on a Friday night but security notices are best acted on quickly. A popular re-usable GitHub Action tj-actions/changed-files has been compromised. There is a well written article with the details here: Semgrep | 🚨 Popular GitHub Action tj-actions/changed-files is compromised
The Infrastructure project and Open Robotics Security team are taking action in core Open Robotics repositories but I wanted to make sure that all in the community are aware and can take appropriate steps.
If I can soap box at all here, my recommendation when using platforms like GitHub Actions is to rely on what you know rather than what you can find for small tasks like this. Inlining your own change detection logic as recommended in the article is doable with a few lines of git and shell. Here’s one example from the reprepro-updater repository. The script there may not have the features of the reusable action but it’s plain what it does when you look at it and it will always do exactly that until you need to change it.
When it does make sense to rely on shared GitHub Actions, such as for more complicated tasks the other advice in the above article is worth heeding:
Generally, pin all GitHub Actions to specific commit SHAs (rather than version tags) you know are safe.