In this episode, we discuss the recent tj-actions/changed-files github action compromise. I propose some ways we can apply existing solutions to this problem, in a way that doesn’t add too much extra friction, but can greatly lessen the number of users impacted by a compromise like this.
I also mention some information from Step Security’s blog post on the topic, which I’d recommend reading: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
See also: This episode in blog form
Edit: I have published a revised version of this episode clarifying the current state of dependabot for managing action updates.
정보
- 프로그램
- 발행일2025년 3월 26일 오후 1:00 UTC
- 길이7분
- 시즌1
- 에피소드3
- 등급전체 연령 사용가