My day job is also in the middle of moving everything to Github Actions, so this is fun. But in my case, we aren't affected by this vulnerability because it could only be exploited by workflows with public logs, and currently my company only uses Github Actions for private repositories.

I mean maybe! But only if you've removed all of the usage of this compromised `tj-actions/changedfiles` action, across all your repos and their branches.

Otherwise, if you continue to use it and it will run anytime there has been a push. Potentially on any branch, not just `main`! Depending on your GH config.

Unless you've blocked `tj-actions/changed-files` you're banking on the bad actor not coming back tonight and making malicious commit that exfils those secrets to pastebin.com.

It's possible to whitelist actions on an org level.

You can whitelist

- all actions from a specific org (e.g. actions/*)

- a specific action (e.g. actions/setup-go)

- a specific version of a specific action (e.g. actions/setup-go@commit-sha)

Any workflow attempting to use actions outside of the whitelist will simply fail to start up.