docs-csm (and more) used a compromised tj-actions/changed-files GitHub action (CVE-2025-30066)

[eslerm]

docs-csm used a compromised version of tj-actions/changed-files. The compromised action appears to have leaked secrets the runner had in memory.

There are many instances of this on Cray-HPE repos:

• https://github.com/Cray-HPE/docs-csm/blob/release/1.7/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/docs-csm/blob/release/1.7/.github/workflows/shfmt.yaml
• https://github.com/Cray-HPE/docs-csm/blob/release/1.7/.github/workflows/shellcheck.yaml
• https://github.com/Cray-HPE/docs-csm/blob/release/1.7/.github/workflows/spellcheck.yaml
• https://github.com/Cray-HPE/docs-csm/blob/release/1.7/.github/workflows/link-check.yaml
• https://github.com/Cray-HPE/docs-csm/blob/release/1.7/.github/workflows/style-check.yaml
• https://github.com/Cray-HPE/cani/blob/main/.github/workflows/license_check.yml
• https://github.com/Cray-HPE/cms-ipxe/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/cray-product-catalog/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/cray-product-catalog-core/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/sat/blob/main/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/csm-ssh-keys/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/python-csm-api-client/blob/main/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/cfs-config-util/blob/main/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/cf-cme-ca-cert/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/cms-tftpd/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/bos-utils/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/convert-oas30-schemas/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/k8s-liveness/blob/develop/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/license-checker/blob/main/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/spire-agent/blob/main/.github/workflows/shellcheck.yaml
• https://github.com/Cray-HPE/prodmgr/blob/main/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/sat-product-stream/blob/release/2.6/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/sat-cfs-install/blob/main/.github/workflows/license-check.yaml
• https://github.com/Cray-HPE/sat-podman/blob/main/.github/workflows/license-check.y

Output of an affected run:

• https://github.com/Cray-HPE/docs-csm/actions/runs/13864199769/job/38799521707#step:4:59

Please review and followup on other Cray-HPE repos.

Learn about the compromise on StepSecurity of Semgrep.

This issue has been assigned CVE-2025-30066

[github-actions[bot]]

This issue has not had activity in over 20 days and is being marked as stale.