Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Exactly. And that's what happened here -- the bad actor changed all of those version tags to point to their malicious commit.

See https://github.com/tj-actions/changed-files/tags

All the tags point to commit `^0e58ed8` https://github.com/tj-actions/changed-files/commit/0e58ed867...



Correct me if I'm wrong, but you would be able to prevent this specific issues with the "Rules" in order to block updates of tags; https://github.blog/news-insights/product-news/github-reposi...


Yeah but no GitHub Action is going to do this because updating tags is the de facto mechanism for releasing patches for those repositories.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: