Whose code am I running in GitHub Actions?
A week ago, somebody added malicious code to the tj-actions/changed-files GitHub Action. If you used the compromised action, it would leak secrets to your build log. Those build logs are public for public repositories, so anybody could see your secrets. Scary!
weeklyfoo #78 / 2025-03-31githubsecurityactions