From 17b49b9dbde61634700f83eb4f9af47b4c86240c Mon Sep 17 00:00:00 2001 From: David Sterba Date: Mon, 17 Mar 2025 20:53:07 +0100 Subject: [PATCH] btrfs-progs: ci: update version of tj-actions/changed-files There was an attack on the changed-files action [1] that is used in the devel workflow, started only after the branch devel is pushed, currently possible only by 2 people. There was one run of GH actions that used the compromised version and only the temporary github tokens (github_token, system.github.token, with the "ghs_" prefix) were visible in the logs. Their lifetime is said to be 24hours. No other tokens or secretes were affected. As recommended, bump the version to v46. We may reimplement the action eventually as it's quite simple for our needs. [1] https://www.ox.security/15-hours-of-open-sourced-hell-lessons-learned-from-tj-actions-changed-files/ Signed-off-by: David Sterba --- .github/workflows/devel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel.yml b/.github/workflows/devel.yml index fe06ada2..ece98db2 100644 --- a/.github/workflows/devel.yml +++ b/.github/workflows/devel.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v4 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v44 + uses: tj-actions/changed-files@v46 - run: sudo modprobe btrfs - run: sudo apt-get update -qqq - run: sudo apt-get install -y pkg-config gcc liblzo2-dev libzstd-dev libblkid-dev uuid-dev zlib1g-dev libext2fs-dev e2fsprogs libudev-dev python3-sphinx sphinx-rtd-theme-common python3-sphinx-rtd-theme