Github Actions - Supply Chain Attacks

Discussion of the recent tj-actions/changed-files action compromise, and how we could prevent it.
3 min read
#security
Related Podcast Episode
One Million Bytes - S1E3 - Github Actions - Supply Chain Attacks
3/26/2025
In this episode, we discuss the recent tj-actions/changed-files compromise and how similar incidents may be prevented in the future

On March 14, 2024, a popular Github action for detecting changed files was compromised, @tj-actions/changed-files. The attacker overwrote all existing versions of the action to run a script which dumped out the secrets stored in the Github actions runner.

Here’s a more in-depth writeup, containing more technical details on the incident: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Existing Solutions

There are existing solutions to pinning versions in Github actions today. For example, instead of:

- name: Get all changed files
  id: changed-markdown-files
  uses: tj-actions/changed-files@v46

You would use:

- name: Get all changed files
  id: changed-markdown-files
  uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46

This ensures that only revision 823fcebdb31bb35fdf2229d9f769b400309430d0 can be loaded when your action runs. This also means it’s tough for authors to push changes.

How might we improve this?

Repository-Specific Pins

We could also build a settings interface within each repository. It might work like this:

  1. If an action hasn’t been used before, we record it’s tag and commit hash in the settings.
  2. For each action that has been used before, we always use the stored commit hash and not the latest version pushed to the tag.

We could then build a settings interface, listing all the pinned versions of each specific action. When updates are available, they could be listed there, along with a diff of exactly what changed.

All things being equal, I think an approach like this is probably what’s best for the platform as a whole, because it can be deployed without users needing to perform any changes to their existing code.

Version Pinning

We could also potentially add a new section to each Github action workflow file, allowing code to better interpret and manage this, e.g. via Dependabot.

Note: Dependabot already supports upgrading Github Actions versions, but it’s important to note - there’s still no way to require pinning to commits instead of tags. And - it’s still not easily readable for users who are trying to see what versions things are running. If you’re looking for a solution to upgrading things, this plus using commit hashes for versioning is probably the best you an do for now.

The reason I don’t think is an ideal solution for Github as a whole, is that unless a user specifically opts in to and uses the commit hashes to specify the versions for their favorite actions - this won’t prevent the attack. Thus, I think a more platform-wide, by-default solution is best to defend against these kinds of compromises.

Here’s what a version of action tag ⇔ commit pinning might look like, and also included could even be an option to enforce it file-wide?

security:
  version-pinning:
    required: true
    versions:
      tj-actions/changed-files@v46: 823fcebdb31bb35fdf2229d9f769b400309430d0

Feedback

Found a typo or technical problem? report an issue!

Subscribe to my Newsletter

Like this post? Subscribe to get notified for future posts like this.