Fwd: IMPORTANT: Critical GitHub security vulnerability PLEASE READ
30 views
Skip to first unread message
Damien Duportal
Mar 17, 2025, 10:48:16 AMMar 17
to Jenkins Infrastructure
For info
Please note: the only explicit occurrence we have of this action on jenkins-infra is https://github.com/jenkins-infra/keptn which has been archived (e.g. GHA note enabled) years ago.
I guess it is time to start applying restrictions to the GitHub actions we are using in jenkins-infra. TO be quite transparent, I thought it was already the case but clearly it is not: let's start using only GHA from jenkins-infra (or explicitly allowed source).
Any objection?
Damien
---------- Forwarded message ---------
De : Michelle Martineau <mmart...@linuxfoundation.org>
Date: lun. 17 mars 2025 à 13:17
Subject: IMPORTANT: Critical GitHub security vulnerability PLEASE READ
To: Mark Waite <mark.ea...@gmail.com>, Damien Duportal <damien....@gmail.com>, Cameron Motevasselani <cmoteva...@spinnaker.io>, Andrea Frittoli <andrea....@gmail.com>, Dadisi Sanyika <dadisi....@apple.com>, Mårten Svantesson <msvan...@gmail.com>, Tracy Ragan <tr...@deployhub.com>, Steve Taylor <st...@deployhub.com>
De : Michelle Martineau <mmart...@linuxfoundation.org>
Date: lun. 17 mars 2025 à 13:17
Subject: IMPORTANT: Critical GitHub security vulnerability PLEASE READ
To: Mark Waite <mark.ea...@gmail.com>, Damien Duportal <damien....@gmail.com>, Cameron Motevasselani <cmoteva...@spinnaker.io>, Andrea Frittoli <andrea....@gmail.com>, Dadisi Sanyika <dadisi....@apple.com>, Mårten Svantesson <msvan...@gmail.com>, Tracy Ragan <tr...@deployhub.com>, Steve Taylor <st...@deployhub.com>
CDF Projects,
We want to inform you of a critical security vulnerability that has been discovered in a commonly used community-maintained GitHub Action. This vulnerability has the potential to expose GitHub Actions secrets.
Here is the GHSA in question: https://github.com/advisories/GHSA-mrrh-fwg8-r2c3
The vulnerability involved the tj-actions/changed-files action, resulting in the public exposure of secrets via base64 encoding in log files. A summary of the vulnerability can be found here: https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
Recommended Actions for All Open Source Communities:
- Check all repositories for any use of the vulnerable action
- GitHub Search does not return all possible results, a full search of Git objects (from a local repository clone), is the most effective way to ensure all branches and changes are being detected.
- Check all action runs to see if any secrets leaked
- Remove use of the tj-actions/changed-file action (currently blocked by GH)
- Rotate any leaked secrets
Please let me know if you have any questions, we're working with LF IT to help answer them and assist communities.
MICHELLE MARTINEAU | SENIOR PROGRAM MANAGER |
  |
Oleg Nenashev
Mar 17, 2025, 12:04:14 PMMar 17
to jenkin...@googlegroups.com
+1 for jenkins-infra.
- A permit list for external actions
- Mandatory use of hashcode instead of tags
--
You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins-infr...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/jenkins-infra/CA%2BAiRi8rTp%2BE5HbF9km4sWj%3DG9U1CAcx7cvgF9fs3ekeybExtA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages