Follow
GitHub Action `tj-actions/changed-files` "used in over 23,000 repositories, has been compromised ... The compromised Action prints CI/CD Secrets in #GitHubActions build logs"
also, many actions have side-effects and/or do not document that they only work on Ubuntu-based (public) runners.
When you have self-hosted runners, disk layout, and the OS, might differ. I use CentOS/Fedora.
I also prevent the use of something like apt or dnf installs, as the OS itself is immutable.
@lupyuen what concerns me is how this got propagated to others.
GitHub Actions has no security model or vetting process. Best to pin on a sha, as versions can easily be 'recreated' to contain malicious code. I always fork and/or create my own actions.