🔒️👽️👷➖ Remove tj-actions/changed-files dependency

.github/workflows/on_push.yml

@@ -35,51 +35,42 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 2
-      - name: Get changed files since last commit
-        uses: tj-actions/[email protected]
-        id: changed-files
-        with:
-          since_last_remote_commit: "true"
-          files: .github/Dockerfiles/*
-          json: "true"
       - name: Determine stages to rebuild
         env:
           MESSAGE: ${{ github.event.head_commit.message }}
         id: rebuild
         run: |
           # initialize phase arrays
           declare -a PHASE_ONE PHASE_TWO PHASE_THREE REBUILD_PHASE_ONE REBUILD_PHASE_TWO REBUILD_PHASE_THREE
-          # turn JSON array into BASH array
-          CHANGED_FILES=( $(echo ${{ steps.changed-files.outputs.all_changed_files }} | sed -e 's/\[//g' -e 's/\]//g' -e 's/\,/ /g') )
           # loop through stages to maybe rebuild
           for STAGE in $(cat ${GITHUB_WORKSPACE}/.github/stage_requirements/phase_one.txt)
           do
             PHASE_ONE+=($STAGE)
             # check commit message for [rebuild STAGE] or if STAGE has changed
-            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " ${STAGE} " ]]
+            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]]
             then
               REBUILD_PHASE_ONE+=($STAGE)
             fi
           done
           for STAGE in $(cat ${GITHUB_WORKSPACE}/.github/stage_requirements/phase_two.txt)
           do
             PHASE_TWO+=($STAGE)
-            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " ${STAGE} " ]]
+            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]]
             then
               REBUILD_PHASE_TWO+=($STAGE)
             fi
           done
           for STAGE in $(cat ${GITHUB_WORKSPACE}/.github/stage_requirements/phase_three.txt)
           do
             PHASE_THREE+=($STAGE)
-            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-${STAGE}]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " ${STAGE} " ]]
+            if [[ "${MESSAGE}" == *"[rebuild ${STAGE}]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-${STAGE}]"* ]]
             then
               REBUILD_PHASE_THREE+=($STAGE)
             fi
           done
           # add base stages based on their dependencies
           BASES=("${PHASE_THREE[@]}" standard)
-          if [[ "${MESSAGE}" == *"[rebuild standard]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-standard]"* ]] || [[ " ${CHANGED_FILES[*]} " =~ " standard " ]]
+          if [[ "${MESSAGE}" == *"[rebuild standard]"* ]] || [[ "${MESSAGE}" == *"[rebuild base-standard]"* ]]
           then
             REBUILD_PHASE_THREE+=(standard)
           fi

CHANGELOG.md

@@ -127,6 +127,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `wxpython`
 - `yamlordereddictloader`
 
+#### Removed CI dependency
+
+- `tj-actions/changed-files` ([CVE-2023-51664](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised))
+
 ### Upgraded dependencies
 
 - `AFNI` 21.1.00 'Domitian' → 23.3.09 'Septimius Severus'

CONTRIBUTING.md

@@ -80,3 +80,4 @@ We have 3 types of staging Dockerfiles: operating system, software dependency, a
 * To change a dependency in a C-PAC image, update the stage images at the top of the relevant `.github/Dockerfiles/C-PAC.develop-*.Dockerfile`.
 * If a Dockerfile does not yet exist for the added dependency, create a Dockerfile for the new dependency and add the filename (without extension) to [`jobs.stages.strategy.matrix.Dockerfile` in `.github/workflows/build_stages.yml`](https://github.com/FCP-INDI/C-PAC/blob/4e18916384e52c3dc9610aea3eed537c19d480e3/.github/workflows/build_stages.yml#L77-L97)
 * If no Dockerfiles use the removed dependency, remove the Dockerfile for the dependency and remove the filename from [`jobs.stages.strategy.matrix.Dockerfile` in `.github/workflows/build_stages.yml`](https://github.com/FCP-INDI/C-PAC/blob/4e18916384e52c3dc9610aea3eed537c19d480e3/.github/workflows/build_stages.yml#L77-L97)
+* When making changes to a Dockerfile, include the line `[rebuild {filename}]` where `filename` is the name of the Dockerfile without the extension (e.g., `[rebuild Ubuntu.jammy-non-free]`).