Recap of tj-actions/changed-files: What We Can Learn
Updated March 18, 2025.
The recent compromise of the tj-actions/changed-files GitHub Action serves as a critical reminder of the security risks associated with using third-party dependencies in CI/CD workflows. This incident highlights the importance of implementing security best practices to mitigate similar threats in the future. Below, we share key lessons and best practices for securing GitHub Actions.
What Happened?
The widely used tj-actions/changed-files GitHub Action was compromised when an attacker injected malicious code designed to expose CI/CD secrets in GitHub Actions logs. As a result, public repositories using this action inadvertently leaked secrets within workflow logs. The malicious commits have since been removed from all tags and branches, limiting the risk to cached versions of the action and any secrets that were already exposed.
Key Lessons and Best Practices for Securing GitHub Actions
As workflows become more complex and incorporate third-party actions, they also introduce security risks. Proper security measures are essential to safeguard CI/CD pipelines from unauthorized access, malicious code execution, and supply chain attacks. The following key lessons can help with that.
1. Review Actions Before Use
Blindly integrating third-party actions into workflows introduces risk. Before using any action, follow these steps:
Review action source code to identify potential security issues, such as hardcoded credentials or calls to unknown external servers.
Favor GitHub-verified actions or those maintained by well-known and trusted organizations to minimize risk.
Use GitHub’s allow list to restrict workflows to approved external actions, reducing the attack surface.
Pin actions to specific commit SHAs instead of version tags, as maintainers can modify tags, potentially introducing malicious code.
2. Restrict Workflow Permissions
Granting excessive permissions increases the blast radius of a compromised action. Follow the principle of least privilege:
Define explicit permissions in the permissions: field to prevent unnecessary access.
Only grant write permissions when absolutely necessary to limit potential damage from compromised workflows.
Use fine-grained access controls to separate permissions by job, ensuring each workflow step has the minimum required privileges.
See below for an example of a configuration that minimizes privileges.
3. Implement Runtime Monitoring
Use security tools like Harden-Runner to detect anomalies in GitHub Actions workflows, alerting security teams to suspicious activity:
Unusual dependencies and workflow behaviors
CI/CD secret exfiltration
Unauthorized changes to source code during build
4. Monitor and Utilize GitHub Actions Logs Effectively
Continuous monitoring of GitHub Actions logs helps detect security incidents early:
Regularly review audit logs for unauthorized workflow modifications, especially changes to dependencies and external action calls.
Set up alerts for:
Conclusion
The tj-actions/changed-files compromise highlights the importance of supply chain security in CI/CD pipelines. By implementing the best practices outlined above - carefully reviewing actions, restricting permissions, monitoring runtime activity, and auditing logs - organizations can significantly reduce the risk of similar incidents.
Security in CI/CD is not a one-time effort; it requires continuous vigilance. By taking proactive measures today, teams can better protect their workflows from future threats.
