ci: pin tj-actions/changed-files

Closes #7793
2026-04-23 03:00:31 -04:00 · 2025-03-16 09:27:06 +10:00
parent b52f8121af
commit c84a646735
5 changed files with 30 additions and 5 deletions
--- a/.github/workflows/frontend-checks.yml
+++ b/.github/workflows/frontend-checks.yml
@@ -44,7 +44,12 @@ jobs:
      - name: check for changed frontend files
        if: ${{ inputs.always_run != true }}
        id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
        with:
          files_yaml: |
            frontend:
--- a/.github/workflows/frontend-tests.yml
+++ b/.github/workflows/frontend-tests.yml
@@ -44,7 +44,12 @@ jobs:
      - name: check for changed frontend files
        if: ${{ inputs.always_run != true }}
        id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
        with:
          files_yaml: |
            frontend:
--- a/.github/workflows/python-checks.yml
+++ b/.github/workflows/python-checks.yml
@@ -43,7 +43,12 @@ jobs:
      - name: check for changed python files
        if: ${{ inputs.always_run != true }}
        id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
        with:
          files_yaml: |
            python:
--- a/.github/workflows/python-tests.yml
+++ b/.github/workflows/python-tests.yml
@@ -77,7 +77,12 @@ jobs:
      - name: check for changed python files
        if: ${{ inputs.always_run != true }}
        id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
        with:
          files_yaml: |
            python:
--- a/.github/workflows/typegen-checks.yml
+++ b/.github/workflows/typegen-checks.yml
@@ -42,7 +42,12 @@ jobs:
      - name: check for changed files
        if: ${{ inputs.always_run != true }}
        id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
        with:
          files_yaml: |
            src: