Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Aren't GitHub action "packages" designate by a single major version? Something like checkout@v4, for example. I thought that that designated a single release as v4 which will not be updated?

I'm quite possibly wrong, since I try to avoid them as much as I can, but I mean.. wow I hope I'm not.



No the "v4" tag gets updated from v4.1 to v4.2 etc as those minor versions are released. They are branches, functionally.


Exactly. And that's what happened here -- the bad actor changed all of those version tags to point to their malicious commit.

See https://github.com/tj-actions/changed-files/tags

All the tags point to commit `^0e58ed8` https://github.com/tj-actions/changed-files/commit/0e58ed867...


Correct me if I'm wrong, but you would be able to prevent this specific issues with the "Rules" in order to block updates of tags; https://github.blog/news-insights/product-news/github-reposi...


Yeah but no GitHub Action is going to do this because updating tags is the de facto mechanism for releasing patches for those repositories.


Wow, thank you (and the other person that pointed this out to me). That's madness.


You can pin actions to a git sha to prevent this but people generally do not. Action authors would prefer their updates be picked up automatically.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: