Skip to content

Create poc.yml#131

Open
hckeronebug wants to merge 1 commit into
lightsparkdev:mainfrom
hckeronebug:main
Open

Create poc.yml#131
hckeronebug wants to merge 1 commit into
lightsparkdev:mainfrom
hckeronebug:main

Conversation

@hckeronebug

Copy link
Copy Markdown

No description provided.

@greptile-apps

greptile-apps Bot commented Jul 11, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds a GitHub Actions workflow for changed-file detection. The main changes are:

  • Runs for pull requests targeting main.
  • Adds an Ubuntu job that invokes a pinned tj-actions/changed-files revision.

Confidence Score: 2/5

This is not safe to merge while pull requests execute the compromised action revision.

  • The pinned action can expose runner credentials through workflow logs.
  • The job has no checkout, so normal changed-file detection can fail on every matching pull request.

.github/workflows/poc.yml

Security Review

The workflow executes the malicious revision associated with the tj-actions/changed-files supply-chain incident. Its payload can scrape runner memory and expose encoded credentials in workflow logs.

Important Files Changed

Filename Overview
.github/workflows/poc.yml Adds a pull-request workflow that invokes a compromised action revision without first checking out the repository.
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
.github/workflows/poc.yml:12
**Compromised Action Exposes Credentials**

This SHA points to the malicious revision from the `tj-actions/changed-files` supply-chain incident. Every pull request to `main` executes its runner-memory scraping payload, which can print encoded credentials such as `GITHUB_TOKEN` into the workflow log.

### Issue 2 of 2
.github/workflows/poc.yml:10-12
**Changed-Files Runs Without Repository**

A new runner reaches this step without an `actions/checkout` step, so the action's default Git-based comparison has no repository or history to inspect. Pull requests to `main` can therefore fail with a Git repository error instead of calculating changed files.

Reviews (1): Last reviewed commit: "Create poc.yml" | Re-trigger Greptile

Comment thread .github/workflows/poc.yml
steps:
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@0e58ed8671d6b60d0890c21b07f8835ace038e67

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P0 security Compromised Action Exposes Credentials

This SHA points to the malicious revision from the tj-actions/changed-files supply-chain incident. Every pull request to main executes its runner-memory scraping payload, which can print encoded credentials such as GITHUB_TOKEN into the workflow log.

Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/poc.yml
Line: 12

Comment:
**Compromised Action Exposes Credentials**

This SHA points to the malicious revision from the `tj-actions/changed-files` supply-chain incident. Every pull request to `main` executes its runner-memory scraping payload, which can print encoded credentials such as `GITHUB_TOKEN` into the workflow log.

How can I resolve this? If you propose a fix, please make it concise.

Comment thread .github/workflows/poc.yml
Comment on lines +10 to +12
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@0e58ed8671d6b60d0890c21b07f8835ace038e67

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Changed-Files Runs Without Repository

A new runner reaches this step without an actions/checkout step, so the action's default Git-based comparison has no repository or history to inspect. Pull requests to main can therefore fail with a Git repository error instead of calculating changed files.

Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/poc.yml
Line: 10-12

Comment:
**Changed-Files Runs Without Repository**

A new runner reaches this step without an `actions/checkout` step, so the action's default Git-based comparison has no repository or history to inspect. Pull requests to `main` can therefore fail with a Git repository error instead of calculating changed files.

How can I resolve this? If you propose a fix, please make it concise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant