🚨 Popular GitHub Action tj-actions/changed-files is compromised

The popular GitHub Action, tj-actions/changed-files, has been compromised with a payload designed to reveal secrets, affecting numerous CI pipelines. This incident is not isolated, as a prior vulnerability (CVE-2023-51664) had already been reported. To mitigate the risk, users are advised to search their codebase for the compromised action and replace it with safer alternatives or inline logic. GitHub provides a feature to allow-list actions to prevent execution, even if present in the code. Users are also encouraged to audit past workflow runs for signs of compromise, such as suspicious outbound network requests, especially in public CI runner logs. The compromised action's tags have been reverted, and a new version has been released. Further research indicated additional compromises in reviewdog actions, necessitating similar precautions. Users are recommended to rotate any potentially exposed secrets and ensure they use immutable commits to avoid future vulnerabilities, while Semgrep has provided rules to detect usage of both tj-actions and reviewdog actions.