Create poc.yml#131
Conversation
Greptile SummaryThis PR adds a GitHub Actions workflow for changed-file detection. The main changes are:
Confidence Score: 2/5This is not safe to merge while pull requests execute the compromised action revision.
.github/workflows/poc.yml
|
| Filename | Overview |
|---|---|
| .github/workflows/poc.yml | Adds a pull-request workflow that invokes a compromised action revision without first checking out the repository. |
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
.github/workflows/poc.yml:12
**Compromised Action Exposes Credentials**
This SHA points to the malicious revision from the `tj-actions/changed-files` supply-chain incident. Every pull request to `main` executes its runner-memory scraping payload, which can print encoded credentials such as `GITHUB_TOKEN` into the workflow log.
### Issue 2 of 2
.github/workflows/poc.yml:10-12
**Changed-Files Runs Without Repository**
A new runner reaches this step without an `actions/checkout` step, so the action's default Git-based comparison has no repository or history to inspect. Pull requests to `main` can therefore fail with a Git repository error instead of calculating changed files.
Reviews (1): Last reviewed commit: "Create poc.yml" | Re-trigger Greptile
| steps: | ||
| - name: Get changed files | ||
| id: changed-files | ||
| uses: tj-actions/changed-files@0e58ed8671d6b60d0890c21b07f8835ace038e67 |
There was a problem hiding this comment.
Compromised Action Exposes Credentials
This SHA points to the malicious revision from the tj-actions/changed-files supply-chain incident. Every pull request to main executes its runner-memory scraping payload, which can print encoded credentials such as GITHUB_TOKEN into the workflow log.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/poc.yml
Line: 12
Comment:
**Compromised Action Exposes Credentials**
This SHA points to the malicious revision from the `tj-actions/changed-files` supply-chain incident. Every pull request to `main` executes its runner-memory scraping payload, which can print encoded credentials such as `GITHUB_TOKEN` into the workflow log.
How can I resolve this? If you propose a fix, please make it concise.| - name: Get changed files | ||
| id: changed-files | ||
| uses: tj-actions/changed-files@0e58ed8671d6b60d0890c21b07f8835ace038e67 |
There was a problem hiding this comment.
Changed-Files Runs Without Repository
A new runner reaches this step without an actions/checkout step, so the action's default Git-based comparison has no repository or history to inspect. Pull requests to main can therefore fail with a Git repository error instead of calculating changed files.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/poc.yml
Line: 10-12
Comment:
**Changed-Files Runs Without Repository**
A new runner reaches this step without an `actions/checkout` step, so the action's default Git-based comparison has no repository or history to inspect. Pull requests to `main` can therefore fail with a Git repository error instead of calculating changed files.
How can I resolve this? If you propose a fix, please make it concise.
No description provided.