Skip to content

πŸ”’οΈπŸ‘½οΈπŸ‘·βž– Remove tj-actions/changed-files dependency #2197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 15, 2025
Merged

πŸ”’οΈπŸ‘½οΈπŸ‘·βž– Remove tj-actions/changed-files dependency #2197

merged 2 commits into from
Mar 15, 2025

Conversation

@shnizzedy
Copy link
Member

@shnizzedy shnizzedy commented Mar 15, 2025
edited
Loading

Fixes

Addresses https://github.com/FCP-INDI/C-PAC/security/dependabot/48 by @dependabot & CVE-2023-51664 by StepSecurity

Description

Removes compromised GitHub Action. As a result, the CI will need to be manually notified of changes to Dockerfiles for the near future:

C-PAC/CONTRIBUTING.md

Line 83 in 340f613

* When making changes to a Dockerfile, include the line `[rebuild {filename}]` where `filename` is the name of the Dockerfile without the extension (e.g., `[rebuild Ubuntu.jammy-non-free]`).

Technical details

Sometime in the last 24 hours a bad actor got malicious code into tj-actions/changed-files that enables secrets to be revealed, revealed secrets in that action to gain sufficient access to point all versions of the action to the malicious version. A few runs of the action in this repo were affected, but only the only secret exposed here (luckily) was the automatic token.

Screenshots

a compromised secret

Checklist

  • My pull request has a descriptive title (not a vague title like Update index.md).
  • My pull request targets the develop branch of the repository.
  • My commit messages follow best practices.
  • My code follows the established code style of the repository.
  • I added tests for the changes I made (if applicable).
  • I updated the changelog.
  • I added or updated documentation (if applicable).
  • I tried running the project locally and verified that there are no visible errors.

Developer Certificate of Origin

Developer Certificate of Origin 
Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

@shnizzedy shnizzedy requested a review from a team March 15, 2025 18:54
@shnizzedy shnizzedy moved this to πŸ‘€ In review in C-PAC Development Mar 15, 2025
@shnizzedy shnizzedy merged commit 58e3dff into develop Mar 15, 2025
25 checks passed
@github-project-automation github-project-automation bot moved this from πŸ‘€ In review to βœ… Done in C-PAC Development Mar 15, 2025
@shnizzedy shnizzedy deleted the CVE-2023-51664 branch March 15, 2025 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3 - Critical devops

Projects

C-PAC Development
Status: βœ… Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shnizzedy