• Malicious Code Incident: A week ago, malicious code was added to the tj-actions/changed-files GitHub Action. If used, it leaked secrets to build logs. Build logs of public repos are public, so secrets could be seen.
• Mutable vs Immutable References: The attack was possible due to common practice of referring to tags in GitHub Actions workflows. A seemingly immutable reference to a "version 2" action is actually a mutable Git tag. Specifying a Git commit ID is an immutable reference that runs the same code each time. Tags offer convenience while commit IDs ensure code stability.
• Checking for Mutable References: The author ran a shell script to check for mutable references in their local repos. The script uses Unix pipelines to find GitHub Actions workflow files, grep for "uses:", and perform various text processing operations to tidy and count the actions used. The output shows the tally of actions used.
• How the Script Works: The script uses find to locate .yml files in .github/workflows/ folders. xargs and grep are used to process the filenames. sed is used to replace - uses: with uses:, remove double quotes with tr, and awk is used to print the second token (action name). sed is also used to remove carriage returns. Finally, sort, uniq --count, and sort --numeric-sort are used to group and count the actions.
• Recommendation: If using GitHub Actions, one might use this script to check their own actions. It is recommended to become familiar with Unix text processing tools and pipelines as they are still a powerful way to process data.