Skip to content

[Eclipse iceoryx] Security Breach in tj-actions/changed-files GitHub Action

Summary of the Issue

The tj-actions/changed-files GitHub Action has been compromised. Attackers modified the Action’s code and retroactively updated multiple version tags to reference a malicious commit. This compromised Action has been found to expose CI/CD secrets in GitHub Actions build logs. If these logs are public, anyone can access and steal these secrets.

GitHub has since removed the affected Action, and a secure replacement is available. However, any secrets exposed in your workflow logs should be treated as compromised and rotated immediately.

The compromise of tj-actions/changed-files was potentially due to a similar compromise of another GitHub Action, reviewdog/action-setup@v1. The following Actions may also be affected: 

  • reviewdog/action-shellcheck
  • reviewdog/action-composite-template
  • reviewdog/action-staticcheck
  • reviewdog/action-ast-grep
  • reviewdog/action-typos

Our Progress to Date

We have identified the following workflows with potential risk:

We examined the workflow runs that occurred within the timeframe when the compromised actions were infected.

These analyses revealed no potential leaks.

Immediate Actions to Take

  1. Review our Workflow Runs Logs Analysis

    It is possible that we missed something.

    At this time, potential indicators of compromise we are aware of are the appearance of secret hashes in workflow runs logs for steps using the compromised actions above. Kindly review the logs for steps involving:

  • tj-actions/changed-files:
  • Check for hashes under log lines containing “changed-files” text
  • Example: in this article under “Review GitHub Actions Workflow Run Logs”

image

  • reviewdog/*:
    • Check for hashes in step logs
    • Example: in this article under “Summary of the incident”

image

  1. Rotate Potentially Compromised Secrets
  • If you see something suspicious, identify all secrets used the workflow.
  • Identify which ones are managed by Eclipse Foundation and which ones are controlled by your team.
  • For all secrets controlled by your team
  • For all secrets controlled by the Eclipse Foundation, please share with us the list of secrets names to be rotated and revoked.
  1. Update Your Workflows to Use a Secure Replacement

Replace all instances of tj-actions/changed-files and others with patched versions, using the specific commit hash instead of version tags to mitigate against future supply chain attacks:

tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1

If you really need to use tags (not recommended), you can use:

tj-actions/changed-files@v46.0.1
  1. Delete Logs Containing Secrets

If secrets were exposed in workflow logs, delete the affected logs immediately to prevent further exposure.

  1. Review Your Project’s Configuration and Stay Alert

Review the configuration of your projects and watch out for actions that might have been already performed with those exposed secrets. Such actions could potentially include, but are not limited to (depending on the secrets exposed):

  • Modify project’s artefacts (like release tarballs)
  • Add commits or tags
  • Change links in Project’s documentation

Next steps

To avoid supply chain threats, update all GitHub actions tags to use commit hash instead. Dependabot can manage action updates, including commit hash. The Eclipse Foundation Security Team offers tooling to pin all your workflows at once and ensure they stay that way.

Additional Resources

Edited by Ioana Iliescu
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent