Multiple tags in tj-action/changed-files (one of the actions we are using) are compromised

[sameh-farouk]

Context:
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

https://github.com/search?q=org%3Athreefoldtech%20tj-actions%2Fchanged-files&type=code

[sameh-farouk]

Update:
I checked and confirmed that we were not exposed to this attack.

• The last time we ran this workflow (Generate benchmark weights), it was well ahead of the compromised time.

• Now the issue has been resolved and no further actions are required as all tags were restored to point to their original uncompromised commits
  [BUG] Pretty sure this repo got hacked and if you use this it will send your secrets to a hacker tj-actions/changed-files#2464 (comment)

• Double-check the tag we are using:

To clarify:
The action name is simply a pointer to a GitHub repository under a GitHub organization.
the name prefixed by a @ represents the commit identifier. It is generally in the form of a tag @v3
actions/checkout@v3

In fact, a tag is simply a pointer to a specific SHA:

actions/checkout@v3 points to actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

Both commit SHA and tags can be used as commit identifiers. The problem with GitHub tags is that they can be updated to point to other commits (hence open to such attacks).

@xmonader Should we start using commit SHAs vs GitHub tags and update the workflows in all of our repos?