hotfix: remove compromised changed-files action

goxberry · goxberry · commit e8b6f2a7f4fd · 2025-03-14T22:52:38.000-07:00
The `tj-actions/changed-files` GitHub action appears to have been compromised. For details, see: - https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised Apparently, using the action can leak CI secrets, so this commit removes our only use of the action and replaces it with an equivalent implementation in shell. Signed-off-by: Geoffrey M. Oxberry <geoffrey.oxberry@datadoghq.com>
diff --git a/.github/workflows/check-changelog.yml b/.github/workflows/check-changelog.yml
@@ -25,10 +25,12 @@ jobs:
     - name: Check if CHANGELOG.md was modified
       id: changelog-check
       if: steps.label-check.outputs.has_label == 'false'
-      uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8 # v45.0.7
-      with:
-        files: |
-          CHANGELOG.md
+      run: |
+          if git diff --quiet HEAD^ -- CHANGELOG.md; then
+              echo "any_changed=false" >> $GITHUB_OUTPUT
+          else
+              echo "any_changed=true" >> $GITHUB_OUTPUT
+          fi
 
     - name: Assert CHANGELOG.md is modified
       uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
