Skip to content

🔖(deps): Update tj-actions/changed-files digest to 0e58ed8#1111

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/tj-actions-changed-files-digest
Mar 14, 2025
Merged

🔖(deps): Update tj-actions/changed-files digest to 0e58ed8#1111
renovate[bot] merged 1 commit intomainfrom
renovate/tj-actions-changed-files-digest

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 14, 2025

This PR contains the following updates:

Package Type Update Change
tj-actions/changed-files action digest 9200e69 -> 0e58ed8

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) March 14, 2025 20:47
@renovate renovate bot merged commit 964b103 into main Mar 14, 2025
9 checks passed
@renovate renovate bot deleted the renovate/tj-actions-changed-files-digest branch March 14, 2025 22:17
xnox
xnox suggested changes Mar 15, 2025
View reviewed changes
Copy link

@xnox xnox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tj-actions/changed-files#2463

Please revert

This was referenced Mar 15, 2025
Closed
Closed
@monperrus
Copy link
Contributor

monperrus commented Mar 17, 2025

@LogFlames already reverted or not? of not could you do it?

@algomaster99
Copy link
Member

algomaster99 commented Mar 17, 2025
edited
Loading

Yes, it is handled. @LogFlames rebased the commit out of main branch.

algomaster99 pushed a commit that referenced this pull request Mar 17, 2025
@renovate @algomaster99
🔖(deps): Update tj-actions/changed-files digest to 0e58ed8 (#1111)
0501803 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
algomaster99 added a commit that referenced this pull request Mar 17, 2025
@algomaster99
Revert ":bookmark:(deps): Update tj-actions/changed-files digest to 0…
b92eb94 
…e58ed8 (#1111)"

This version of `changed-files` contains [malicious code](tj-actions/changed-files@0e58ed8).
Reverting as suggested [here](#1111 (review)).
@algomaster99
Copy link
Member

algomaster99 commented Mar 17, 2025
edited
Loading

I put the back the commit 964b103 (after rebasing it is 0501803) and reverted that in b92eb94. This is done in order to maintain a transparent commit log. Thanks @xnox !

@LogFlames the current commit (b92eb94) on main fails because action/checkout cannot be downloaded. Could you help me debug this?

monperrus added a commit that referenced this pull request Mar 18, 2025
@monperrus
Revert ":bookmark:(deps): Update tj-actions/changed-files digest to 0…
3704f37 
…e58ed8 (#1111)"

This reverts commit 964b103.

This is a supply chain attack see:
- https://www.endorlabs.com/learn/github-action-tj-actions-changed-files-supply-chain-attack-what-you-need-to-know
- https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
- renovatebot/renovate#34829
@monperrus
Copy link
Contributor

monperrus commented Mar 18, 2025

FTR, revert commit is 3704f37

@algomaster99 algomaster99 mentioned this pull request Mar 18, 2025
Merged
@LogFlames LogFlames mentioned this pull request Mar 18, 2025
Closed
LogFlames pushed a commit that referenced this pull request Mar 18, 2025
@renovate @LogFlames
🔖(deps): Update tj-actions/changed-files digest to 0e58ed8 (#1111)
75b4ce2 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
LogFlames pushed a commit that referenced this pull request Mar 18, 2025
@algomaster99 @LogFlames
Revert ":bookmark:(deps): Update tj-actions/changed-files digest to 0…
d24ee6f 
…e58ed8 (#1111)"

This version of `changed-files` contains [malicious code](tj-actions/changed-files@0e58ed8).
Reverting as suggested [here](#1111 (review)).
@LogFlames LogFlames mentioned this pull request Mar 18, 2025
Closed
@LogFlames
Copy link
Member

LogFlames commented Mar 24, 2025
edited
Loading

@algomaster99

@LogFlames the current commit (b92eb94) on main fails because action/checkout cannot be downloaded. Could you help me debug this?

CI is now up and running again. Seems tj-actions/changed-files had been banned/depricated/removed in some way, even the older sha which we reverted to. This lead to any action containing it could not be run in chains-project/maven-lockfile (but could be ran in LogFlames/maven-lockfile-action-test-project for example)

The error is very weird and non descriptive, if I removed actions/checkout from the maven-lockfile action the next action (actions/setup-java) was the one that got the same "Missing download info" error.

Also, because we cannot release without using the action an interim non-release action sha had to be used where tj-actions/changed-files was removed.

@algomaster99
Copy link
Member

algomaster99 commented Mar 25, 2025

but could be ran in LogFlames/maven-lockfile-action-test-project for example

That's weird. It seems the restriction is project based which makes me question what projects it won't work on.

Also, because we cannot release without using the action an interim non-release action sha had to be used where tj-actions/changed-files was removed.

Makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@xnox xnox xnox requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@monperrus @algomaster99 @LogFlames @xnox