A week ago, a malicious code was added to the tj-actions/changed-files GitHub Action, potentially leaking secrets to public build logs for anybody using it. The attack was made possible due to common practice of referencing mutable Git tags in workflows. The author provides a script to identify all the GitHub Actions being used, emphasizing the importance of trust in authors and advising on writing custom scripts instead of relying on external actions. The script uses Unix pipelines to process data efficiently, showcasing the power of traditional text processing tools. Becoming familiar with these tools is recommended for users of GitHub Actions.
https://alexwlchan.net/2025/github-actions-audit/