Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(build.yaml): pin tj-actions/changed-files action due to compromise #2874

Merged
merged 1 commit into from
Mar 15, 2025
Merged

fix(build.yaml): pin tj-actions/changed-files action due to compromise #2874

merged 1 commit into from
Mar 15, 2025

Conversation

JJGadgets
Copy link
Contributor

@JJGadgets JJGadgets commented Mar 15, 2025
edited
Loading

Ideally it's be swapped out for an alternative but for now this is to mitigate running known compromised code.

Or, y'all can locally clone the Action's repo from the hash that's been pinned and push it as a mirror to the zmkfirmware org to be more safe for now?

Additionally, automerge and PR creation of updates for this action should be disabled for now to prevent accidental updates to the latest hash.

tj-actions/changed-files#2463
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

(Forked, edited and PRed from GitHub Mobile app to make it quick so none of the below have been done, hope y'all don't mind for a simple change)

PR check-list

  • Branch has a clean commit history
  • Additional tests are included, if changing behaviors/core code that is testable.
  • Proper Copyright + License headers added to applicable files (Generally, we stick to "The ZMK Contributors" for copyrights to help avoid churn when files get edited)
  • Pre-commit used to check formatting of files, commit messages, etc.
  • Includes any necessary documentation changes.

@JJGadgets
fix(build.yaml): pin tj-actions/changed-files due to compromise
2d02cf6 
Ideally it's be swapped out for an alternative but for now this is to mitigate.
@JJGadgets JJGadgets requested a review from a team as a code owner March 15, 2025 02:46
@petejohanson petejohanson merged commit 4da89bd into zmkfirmware:main Mar 15, 2025
22 checks passed
@petejohanson petejohanson mentioned this pull request Mar 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petejohanson petejohanson petejohanson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JJGadgets @petejohanson