When reading random news I came across this note about a github supply chain attack. The short version is that some tj-actions
used for CI were modified to leak some private keys into the build logs (in obfuscated form) where they could be obtained by anybody knowing how to undo the obfuscation.
There are a two recommendations as a follow-up:
- Change any actions to not use a version but rather use a SHA as that prevents using tempered actions (assuming, of course, the version the SHA is taken from isn’t tempered with).
- Rotate all possibly affected keys. I don’t know how to do that and/or how should do that.
It seems people were unaware of this attack. In my mind that leads to another action we should consider for Beman repos: set up something identifying all dependencies (SBOM; Software Bill of Materials) and automatically check these against published vulnerabilities, e.g., with a daily CI run. I haven’t checked if any of the Beman repositories was/is actually affected.