tj-actions/changed-files with Falco Actions

Falco Actions, an open-source project, offers real-time monitoring of CI/CD workflows to detect potential threats, leveraging the open-source tool Falco. It has been instrumental in identifying a compromise (CVE-2025-30066) in the GitHub Action tj-actions/changed-files, which affected numerous repositories by using a compromised GitHub Personal Access Token to introduce a payload that could extract secrets from memory. This payload was identified through specific operations involving the proc filesystem to access the memory of the Runner.Worker process. Falco Actions provides detection rules to identify such threats and can be integrated into GitHub workflows to enhance security by tracking runtime activities. The project supports an analyze mode to gather comprehensive information about workflow executions and integrates with external services like VirusTotal and OpenAI to produce detailed reports and remediation options. This incident underscores the growing risk of supply chain attacks in CI/CD environments and the importance of runtime security controls to mitigate potential damage.