URGENT: possible GitHub-related security issue due to compromised secrets

[Dima Pasechnik]

Dear all,
this is to point out that SageMath is one of GitHub orgs affected by

"tj-actions changed-files through 45.0.7 allows remote attackers to
discover secrets by reading actions logs"
https://github.com/advisories/GHSA-mrrh-fwg8-r2c3

we are working to fix this in sagemath GitHub org repos
(sagemath/sage, etc)
https://github.com/sagemath/sage/pull/39722

However, if you enabled GitHub's Actions on your fork of any of
sagemath's repo, I assume our GitHub secrets might have gotten
compromised too.
So you'd need to disable Actions on your forks for the time being, and
change your secrets/tokens.

Dima

[Georgi Guninski]

This sucks much, especially if you reuse passwords.
According [1] this was introduced "(March 12, according to Sysdig)",
so it might be good idea to check logs for suspicious stuff in this
range.
IMHO whatever microsoft buy, they ruin it.

[1] https://www.theregister.com/2025/03/17/supply_chain_attack_github/