Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update tj-actions/changed-files usage from the Github Action checks since it has been compromised #17597

Merged
merged 1 commit into from
Mar 16, 2025
Merged

Update tj-actions/changed-files usage from the Github Action checks since it has been compromised #17597

merged 1 commit into from
Mar 16, 2025

Conversation

reta
Copy link
Collaborator

@reta reta commented Mar 15, 2025

Description

Remove tj-actions/changed-files usage from the Github Action checks since it has been compromised. See please https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Related Issues

N/A

Check List

  • Functionality includes testing.
  • API changes companion pull request created, if applicable.
  • Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@reta reta added the security Anything security related label Mar 15, 2025
@reta reta requested review from jed326 and peternied as code owners March 15, 2025 17:08
@reta reta requested review from andrross and peterzhuamazon March 15, 2025 17:10
@peterzhuamazon peterzhuamazon mentioned this pull request Mar 16, 2025
Open
peterzhuamazon
peterzhuamazon approved these changes Mar 16, 2025
View reviewed changes
Copy link
Member

@peterzhuamazon peterzhuamazon left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @reta I approve the PR and opened a similar issue on build repo.
However at the time build repo is locking to a commit instead of @main so I guess we are fine for now.

Seems like the original reporting suggest majority of the versions are affected?

As for core, would this example fully replace the action?
https://github.com/opensearch-project/opensearch-build/blob/main/.github/workflows/manifests.yml#L6-L10

Let me know,
Thanks.

@peterzhuamazon
Copy link
Member

And do we need backports for this?

@peterzhuamazon
Copy link
Member

Seem like it is just changing tags to point to this commit tj-actions/changed-files@0e58ed8.

And since we already lock to a commit a while ago I think we are fine for now.

Thanks.

@peterzhuamazon
Copy link
Member

Seems resolved: tj-actions/changed-files#2464 (comment)

@reta
Update tj-actions/changed-files usage from the Github Action checks s…
85e3155 
…ince it has been compromised

Signed-off-by: Andriy Redko <drreta@gmail.com>
@reta reta force-pushed the remove.tj-actions branch from 97bc3ca to 85e3155 Compare March 16, 2025 13:31
@reta reta changed the title Remove tj-actions/changed-files usage from the Github Action checks since it has been compromised Update tj-actions/changed-files usage from the Github Action checks since it has been compromised Mar 16, 2025
@reta
Copy link
Collaborator Author

reta commented Mar 16, 2025

Seems resolved: tj-actions/changed-files#2464 (comment)

Thanks @peterzhuamazon , updated to the latest one

@reta reta added backport 2.x Backport to 2.x branch backport 2.19 labels Mar 16, 2025
@reta reta merged commit 444df2c into opensearch-project:main Mar 16, 2025
38 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Mar 16, 2025
@github-actions
Update tj-actions/changed-files usage from the Github Action checks s…
e0c80c3 
…ince it has been compromised (#17597)

Signed-off-by: Andriy Redko <drreta@gmail.com>
(cherry picked from commit 444df2c)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Mar 16, 2025
@github-actions
Update tj-actions/changed-files usage from the Github Action checks s…
67297d4 
…ince it has been compromised (#17597)

Signed-off-by: Andriy Redko <drreta@gmail.com>
(cherry picked from commit 444df2c)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This was referenced Mar 16, 2025
Merged
Merged
reta pushed a commit that referenced this pull request Mar 16, 2025
@opensearch-trigger-bot @github-actions
Update tj-actions/changed-files usage from the Github Action checks s…
35167a0 
…ince it has been compromised (#17597) (#17601)

(cherry picked from commit 444df2c)

Signed-off-by: Andriy Redko <drreta@gmail.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
reta pushed a commit that referenced this pull request Mar 16, 2025
@opensearch-trigger-bot @github-actions
Update tj-actions/changed-files usage from the Github Action checks s…
d861abe 
…ince it has been compromised (#17597) (#17600)

(cherry picked from commit 444df2c)

Signed-off-by: Andriy Redko <drreta@gmail.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peterzhuamazon peterzhuamazon peterzhuamazon approved these changes

@jed326 jed326 Awaiting requested review from jed326 jed326 is a code owner

@peternied peternied Awaiting requested review from peternied peternied is a code owner

@andrross andrross Awaiting requested review from andrross

Assignees
No one assigned
Labels
backport 2.x Backport to 2.x branch backport 2.19 security Anything security related skip-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@reta @peterzhuamazon