tfchain icon indicating copy to clipboard operation
tfchain copied to clipboard
verified publisher icon threefoldtech

Multiple tags in tj-action/changed-files (one of the actions we are using) are compromised

Open sameh-farouk opened this issue 1 year ago • 1 comments

Context: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

https://github.com/search?q=org%3Athreefoldtech%20tj-actions%2Fchanged-files&type=code

Image

sameh-farouk avatar Mar 20 '25 12:03 sameh-farouk

Update: I checked and confirmed that we were not exposed to this attack.

  • The last time we ran this workflow (Generate benchmark weights), it was well ahead of the compromised time.

Image

  • Now the issue has been resolved and no further actions are required as all tags were restored to point to their original uncompromised commits https://github.com/tj-actions/changed-files/issues/2464#issuecomment-2727015352

  • Double-check the tag we are using:

Image Image

To clarify: The action name is simply a pointer to a GitHub repository under a GitHub organization. the name prefixed by a @ represents the commit identifier. It is generally in the form of a tag @v3 actions/checkout@v3

In fact, a tag is simply a pointer to a specific SHA:

actions/checkout@v3 points to actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

Both commit SHA and tags can be used as commit identifiers. The problem with GitHub tags is that they can be updated to point to other commits (hence open to such attacks).

@xmonader Should we start using commit SHAs vs GitHub tags and update the workflows in all of our repos?

sameh-farouk avatar Mar 20 '25 12:03 sameh-farouk