We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Via https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
This repo uses tj-actions/changed-files on commit to run just the changed installers.
Compromise details reported in the repo at:
tj-actions/changed-files#2463
tj-actions/changed-files#2464
A malicious commit made on 2025-03-14 attempts to dump the repo's secrets to the workflow log.
The maintainer has already addressed the issue and reversed the malicious changes.
This repo's last commit was 3 weeks ago. So this repo didn't run with the malicious code.
This repo has just 1 secret, a SEMGREP_APP_TOKEN from 4 years ago. I don't actually use Semgrep, so I'll just remove that secret.
SEMGREP_APP_TOKEN
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Via https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
This repo uses tj-actions/changed-files on commit to run just the changed installers.
Compromise details reported in the repo at:
tj-actions/changed-files#2463
tj-actions/changed-files#2464
A malicious commit made on 2025-03-14 attempts to dump the repo's secrets to the workflow log.
The maintainer has already addressed the issue and reversed the malicious changes.
This repo's last commit was 3 weeks ago. So this repo didn't run with the malicious code.
This repo has just 1 secret, a
SEMGREP_APP_TOKENfrom 4 years ago. I don't actually use Semgrep, so I'll just remove that secret.The text was updated successfully, but these errors were encountered: