On March 14, 2024, a popular Github action for detecting changed files was compromised, @tj-actions/changed-files
. The attacker overwrote all existing versions of the action to run a script which dumped out the secrets stored in the Github actions runner.
Here’s a more in-depth writeup, containing more technical details on the incident: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
Existing Solutions
There are existing solutions to pinning versions in Github actions today. For example, instead of:
- name: Get all changed files
id: changed-markdown-files
uses: tj-actions/changed-files@v46
You would use:
- name: Get all changed files
id: changed-markdown-files
uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46
This ensures that only revision 823fcebdb31bb35fdf2229d9f769b400309430d0
can be loaded when your action runs. This also means it’s tough for authors to push changes.
How might we improve this?
Repository-Specific Pins
We could also build a settings interface within each repository. It might work like this:
- If an action hasn’t been used before, we record it’s tag and commit hash in the settings.
- For each action that has been used before, we always use the stored commit hash and not the latest version pushed to the tag.
We could then build a settings interface, listing all the pinned versions of each specific action. When updates are available, they could be listed there, along with a diff of exactly what changed.
All things being equal, I think an approach like this is probably what’s best for the platform as a whole, because it can be deployed without users needing to perform any changes to their existing code.
Version Pinning
We could also potentially add a new section to each Github action workflow file, allowing code to better interpret and manage this, e.g. via Dependabot.
This solution would require users to opt-in, so it may not be the best.
security:
version-pinning:
required: true
versions:
tj-actions/changed-files@v46: 823fcebdb31bb35fdf2229d9f769b400309430d0