Responding to sev2 escalation. Implementing SecOps guidance to address Potential for Supply Chain Tampering through Upstream Resource Tampering. The root cause is a vulnerability in the upstream repository tj-actions. Mitigating the risk by using the reusable action via a SHA reference so that the action consumed is immutable.

dancfox · dancfox · commit 3e92b3e22997 · 2024-12-26T10:08:01.000-07:00
diff --git a/.github/workflows/metadata-validation.yml b/.github/workflows/metadata-validation.yml
@@ -20,7 +20,7 @@ jobs:
 
     - name: Get changed files
       id: get_changed
-      uses: tj-actions/changed-files@v44
+      uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
       with:
         files: "*-test-samples/**"
         separator: ","
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
@@ -22,7 +22,7 @@ jobs:
 
     - name: Get changed files using defaults
       id: get_changed
-      uses: tj-actions/changed-files@v44
+      uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
       with:
         separator: ","
 
