From aecf98a6e642423fefefa3aa3f28932b1349b8c5 Mon Sep 17 00:00:00 2001
From: Jon Cluce <jon.clucas@childmind.org>
Date: Sat, 15 Mar 2025 14:40:20 -0400
Subject: [PATCH 1/2] :lock: :alien: Remove compromized GitHub Action

---
 .github/workflows/on_push.yml | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/on_push.yml b/.github/workflows/on_push.yml
index c584dd14f..741ac4e86 100644
--- a/.github/workflows/on_push.yml
+++ b/.github/workflows/on_push.yml
@@ -35,13 +35,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 2
-      - name: Get changed files since last commit
-        uses: tj-actions/changed-files@v45.0.7
-        id: changed-files
-        with:
-          since_last_remote_commit: "true"
-          files: .github/Dockerfiles/*
-          json: "true"
       - name: Determine stages to rebuild
         env:
           MESSAGE: ${{ github.event.head_commit.message }}
@@ -49,14 +42,12 @@ jobs:
         run: |
           # initialize phase arrays
           declare -a PHASE_ONE PHASE_TWO PHASE_THREE REBUILD_PHASE_ONE REBUILD_PHASE_TWO REBUILD_PHASE_THREE
-          # turn JSON array into BASH array
-          CHANGED_FILES=( $(echo ${{ steps.changed-files.outputs.all_changed_files }} | sed -e 's/\[//g' -e 's/\]//g' -e 's/\,/ /g') )
           # loop through stages to maybe rebuild
           for STAGE in $(cat ${GITHUB_WORKSPACE}/.github/stage_requirements/phase_one.txt)
           do
             PHASE_ONE+=($STAGE)
             # check commit message for [rebuild STAGE] or if STAGE has changed
-            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " ${STAGE} " ]]
+            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]]
             then
               REBUILD_PHASE_ONE+=($STAGE)
             fi
@@ -64,7 +55,7 @@ jobs:
           for STAGE in $(cat ${GITHUB_WORKSPACE}/.github/stage_requirements/phase_two.txt)
           do
             PHASE_TWO+=($STAGE)
-            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " ${STAGE} " ]]
+            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]]
             then
               REBUILD_PHASE_TWO+=($STAGE)
             fi
@@ -72,14 +63,14 @@ jobs:
           for STAGE in $(cat ${GITHUB_WORKSPACE}/.github/stage_requirements/phase_three.txt)
           do
             PHASE_THREE+=($STAGE)
-            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-${STAGE}]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " ${STAGE} " ]]
+            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-${STAGE}]"* ]]
             then
               REBUILD_PHASE_THREE+=($STAGE)
             fi
           done
           # add base stages based on their dependencies
           BASES=("${PHASE_THREE[@]}" standard)
-          if [[ "${MESSAGE}" == *"[rebuild standard]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-standard]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " standard " ]]
+          if [[ "${MESSAGE}" == *"[rebuild standard]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-standard]"* ]]
           then
             REBUILD_PHASE_THREE+=(standard)
           fi

From 340f6139c46c11425ae0f7fe99f36f8b4ebc9a1d Mon Sep 17 00:00:00 2001
From: Jon Cluce <jon.clucas@childmind.org>
Date: Sat, 15 Mar 2025 14:44:20 -0400
Subject: [PATCH 2/2] :memo: Document CI process change

---
 CHANGELOG.md    | 4 ++++
 CONTRIBUTING.md | 1 +
 2 files changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c44628a6d..cd1205f6b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -127,6 +127,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `wxpython`
 - `yamlordereddictloader`
 
+#### Removed CI dependency
+
+- `tj-actions/changed-files` ([CVE-2023-51664](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised))
+
 ### Upgraded dependencies
 
 - `AFNI` 21.1.00 'Domitian' → 23.3.09 'Septimius Severus'
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 24b37bcd4..2f54c2a94 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -80,3 +80,4 @@ We have 3 types of staging Dockerfiles: operating system, software dependency, a
 * To change a dependency in a C-PAC image, update the stage images at the top of the relevant `.github/Dockerfiles/C-PAC.develop-*.Dockerfile`.
 * If a Dockerfile does not yet exist for the added dependency, create a Dockerfile for the new dependency and add the filename (without extension) to [`jobs.stages.strategy.matrix.Dockerfile` in `.github/workflows/build_stages.yml`](https://github.com/FCP-INDI/C-PAC/blob/4e18916384e52c3dc9610aea3eed537c19d480e3/.github/workflows/build_stages.yml#L77-L97)
 * If no Dockerfiles use the removed dependency, remove the Dockerfile for the dependency and remove the filename from [`jobs.stages.strategy.matrix.Dockerfile` in `.github/workflows/build_stages.yml`](https://github.com/FCP-INDI/C-PAC/blob/4e18916384e52c3dc9610aea3eed537c19d480e3/.github/workflows/build_stages.yml#L77-L97)
+* When making changes to a Dockerfile, include the line `[rebuild {filename}]` where `filename` is the name of the Dockerfile without the extension (e.g., `[rebuild Ubuntu.jammy-non-free]`).