Restrictions in GitHub Actions and policy changes
15 views
Skip to first unread message
R. Tyler Croy
Mar 25, 2026, 12:38:16 PMMar 25
to delta...@googlegroups.com
Yesterday there was a supply-chain attack identified[0] in the Python
ecosystem on some packages through a compromised tool being used in
GitHub Actions[1].
**There is no indication of compromise for any Delta Lake packages or infrastructure.**
As a precaution maintainers of the Delta Lake project immediately
disabled GitHub Actions across the GitHub organization so that any
potential impact could be assessed. Some developers may have had their
work interrupted but otherwise there is no end-user impact from these
actions.
While this incident did not affect the project directly, we are taking
the opportunity to implement some stronger safe-guards as these forms of
supply-chain attacks have been increasing over the last 2 years. We are:
* Working with security experts to define a more strict GitHub Actions
policy across the delta-io and delta incubator organizations.
* Auditing recent activity across the org. and the GitHub Actions used by projects.
* Setting up a responsible disclosure process to inform project
maintainers and allow for swift remediation of any potential issues
for the project in the future.
We apologize for any potential disruption to contributors of the Delta
Lake project while restore some functionality in GitHub as our audit
completes.
Cheers
- R. Tyler Croy
Note: this was advisory also posted in GitHub Discussions here:
<https://github.com/delta-io/delta/discussions/6385>
[0]: <https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/>
[1]: <https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/>
ecosystem on some packages through a compromised tool being used in
GitHub Actions[1].
**There is no indication of compromise for any Delta Lake packages or infrastructure.**
As a precaution maintainers of the Delta Lake project immediately
disabled GitHub Actions across the GitHub organization so that any
potential impact could be assessed. Some developers may have had their
work interrupted but otherwise there is no end-user impact from these
actions.
While this incident did not affect the project directly, we are taking
the opportunity to implement some stronger safe-guards as these forms of
supply-chain attacks have been increasing over the last 2 years. We are:
* Working with security experts to define a more strict GitHub Actions
policy across the delta-io and delta incubator organizations.
* Auditing recent activity across the org. and the GitHub Actions used by projects.
* Setting up a responsible disclosure process to inform project
maintainers and allow for swift remediation of any potential issues
for the project in the future.
We apologize for any potential disruption to contributors of the Delta
Lake project while restore some functionality in GitHub as our audit
completes.
Cheers
- R. Tyler Croy
Note: this was advisory also posted in GitHub Discussions here:
<https://github.com/delta-io/delta/discussions/6385>
[0]: <https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/>
[1]: <https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/>
Reply all
Reply to author
Forward
0 new messages