- Malicious Code Incident: A week ago, malicious code was added to the
tj-actions/changed-files GitHub Action
. If used, it leaked secrets to build logs. Build logs of public repos are public, so secrets could be seen. - Mutable vs Immutable References: The attack was possible due to common practice of referring to tags in GitHub Actions workflows. A seemingly immutable reference to a "version 2" action is actually a mutable Git tag. Specifying a Git commit ID is an immutable reference that runs the same code each time. Tags offer convenience while commit IDs ensure code stability.
- Checking for Mutable References: The author ran a shell script to check for mutable references in their local repos. The script uses Unix pipelines to find GitHub Actions workflow files, grep for "uses:", and perform various text processing operations to tidy and count the actions used. The output shows the tally of actions used.
- How the Script Works: The script uses
find
to locate.yml
files in.github/workflows/
folders.xargs
andgrep
are used to process the filenames.sed
is used to replace- uses:
withuses:
, remove double quotes withtr
, andawk
is used to print the second token (action name).sed
is also used to remove carriage returns. Finally,sort
,uniq --count
, andsort --numeric-sort
are used to group and count the actions. - Recommendation: If using GitHub Actions, one might use this script to check their own actions. It is recommended to become familiar with Unix text processing tools and pipelines as they are still a powerful way to process data.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。