Bump tj-actions/changed-files from 47.0.4 to 47.0.5

[dependabot]

Bumps tj-actions/changed-files from 47.0.4 to 47.0.5.

Release notes

Sourced from tj-actions/changed-files's releases.

v47.0.5

What's Changed

• Upgraded to v47.0.4 by @​github-actions[bot] in tj-actions/changed-files#2802
• Updated README.md by @​github-actions[bot] in tj-actions/changed-files#2803
• Updated README.md by @​github-actions[bot] in tj-actions/changed-files#2805
• chore(deps-dev): bump @​types/node from 25.2.2 to 25.3.2 by @​dependabot[bot] in tj-actions/changed-files#2811
• chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 by @​dependabot[bot] in tj-actions/changed-files#2810
• chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 by @​dependabot[bot] in tj-actions/changed-files#2809
• chore(deps-dev): bump eslint-plugin-jest from 29.12.1 to 29.15.0 by @​dependabot[bot] in tj-actions/changed-files#2799
• chore(deps): bump github/codeql-action from 4.32.2 to 4.32.4 by @​dependabot[bot] in tj-actions/changed-files#2806
• chore(deps-dev): bump prettier from 3.7.4 to 3.8.1 by @​dependabot[bot] in tj-actions/changed-files#2775
• chore(deps): bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 by @​dependabot[bot] in tj-actions/changed-files#2774
• chore(deps): bump lodash and @​types/lodash by @​dependabot[bot] in tj-actions/changed-files#2807
• chore(deps-dev): bump eslint-plugin-prettier from 5.5.4 to 5.5.5 by @​dependabot[bot] in tj-actions/changed-files#2764
• chore(deps): bump github/codeql-action from 4.32.4 to 4.32.5 by @​dependabot[bot] in tj-actions/changed-files#2815
• chore(deps-dev): bump @​types/node from 25.3.2 to 25.3.3 by @​dependabot[bot] in tj-actions/changed-files#2814

Full Changelog: tj-actions/changed-files@v47.0.4...v47.0.5

Changelog

Sourced from tj-actions/changed-files's changelog.

47.0.5 - (2026-03-03)

🔄 Update

• Updated README.md (#2805)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (35dace0) - (github-actions[bot])

• Updated README.md (#2803)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (9ee99eb) - (github-actions[bot])

⚙️ Miscellaneous Tasks

• deps-dev: Bump @​types/node from 25.3.2 to 25.3.3 (#2814) (22103cc) - (dependabot[bot])
• deps: Bump github/codeql-action from 4.32.4 to 4.32.5 (#2815) (6c02e90) - (dependabot[bot])
• deps-dev: Bump eslint-plugin-prettier from 5.5.4 to 5.5.5 (#2764) (05f9457) - (dependabot[bot])
• deps: Bump lodash and @​types/lodash (#2807) (52ed872) - (dependabot[bot])
• deps: Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#2774) (1cc5746) - (dependabot[bot])
• deps-dev: Bump prettier from 3.7.4 to 3.8.1 (#2775) (de2962f) - (dependabot[bot])
• deps: Bump github/codeql-action from 4.32.2 to 4.32.4 (#2806) (37e96cc) - (dependabot[bot])
• deps-dev: Bump eslint-plugin-jest from 29.12.1 to 29.15.0 (#2799) (2180b0f) - (dependabot[bot])
• deps: Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2809) (cf021c1) - (dependabot[bot])
• deps: Bump actions/download-artifact from 7.0.0 to 8.0.0 (#2810) (b54ac6f) - (dependabot[bot])
• deps-dev: Bump @​types/node from 25.2.2 to 25.3.2 (#2811) (0f2a510) - (dependabot[bot])

⬆️ Upgrades

• Upgraded to v47.0.4 (#2802)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (b7ac303) - (github-actions[bot])

Commits

• 22103cc chore(deps-dev): bump @​types/node from 25.3.2 to 25.3.3 (#2814)
• 6c02e90 chore(deps): bump github/codeql-action from 4.32.4 to 4.32.5 (#2815)
• 05f9457 chore(deps-dev): bump eslint-plugin-prettier from 5.5.4 to 5.5.5 (#2764)
• 52ed872 chore(deps): bump lodash and @​types/lodash (#2807)
• 1cc5746 chore(deps): bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#2774)
• de2962f chore(deps-dev): bump prettier from 3.7.4 to 3.8.1 (#2775)
• 37e96cc chore(deps): bump github/codeql-action from 4.32.2 to 4.32.4 (#2806)
• 2180b0f chore(deps-dev): bump eslint-plugin-jest from 29.12.1 to 29.15.0 (#2799)
• cf021c1 chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2809)
• b54ac6f chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 (#2810)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit fcc039d.

Path	Line	Severity	Description
.github/workflows/gradle-check.yml	27	high	Updates tj-actions/changed-files from v47.0.4 to v47.0.5 using a mutable tag rather than a pinned commit SHA. The tj-actions/changed-files action was the subject of a documented supply chain compromise in March 2025 (CVE-2025-30066), where attackers pushed malicious code to existing version tags to exfiltrate CI/CD secrets (GITHUB_TOKEN, repository secrets) via workflow logs. Bumping to an unpinned tag on a previously compromised action is high-risk: the tag could be silently redirected to a malicious commit. Best practice is to pin to a specific, audited commit SHA (e.g., uses: tj-actions/changed-files@) and verify the SHA against the official release.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 1 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

Path	Line	Severity	Description
.github/workflows/gradle-check.yml	27	medium	The `tj-actions/changed-files` action is pinned to a mutable version tag (`v47.0.5`) rather than an immutable commit SHA. This action was the subject of a confirmed supply chain attack (CVE-2025-30066) in which malicious code was injected into multiple versions of the action to exfiltrate CI secrets from runner environments. Using a floating tag means the referenced code can be silently swapped without any change to this file. The version being bumped to (v47.0.5) falls within the range of versions that were flagged during that incident window. Recommend pinning to a verified commit SHA (e.g., `uses: tj-actions/changed-files@`) to prevent exposure if the tag is later tampered with.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

Path	Line	Severity	Description
.github/workflows/gradle-check.yml	27	medium	Bumping `tj-actions/changed-files` to v47.0.5 warrants verification. This action was the subject of a known supply chain attack (CVE-2025-30066) in which multiple version tags were retroactively rewritten to inject malicious code that exfiltrated CI/CD secrets. While v47.0.5 was released as part of post-incident remediation and is expected to be safe, the version bump should be validated against the commit SHA rather than a mutable tag to rule out any tag re-pointing.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

Path	Line	Severity	Description
.github/workflows/gradle-check.yml	27	medium	The `tj-actions/changed-files` action is pinned by a mutable tag (`v47.0.5`) rather than an immutable commit SHA. This action was previously compromised in a well-documented supply chain attack (CVE-2025-30066), making it a higher-risk dependency. A tag can be silently repointed to a different, potentially malicious commit without any visible change in the workflow file. Best practice is to pin to a full commit SHA (e.g., `tj-actions/changed-files@`) to guarantee immutability.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

Path	Line	Severity	Description
.github/workflows/gradle-check.yml	27	medium	The `tj-actions/changed-files` action is pinned by a mutable version tag (v47.0.5) rather than an immutable commit SHA. Tags can be silently reassigned by the upstream maintainer or an attacker who gains repo access, enabling a supply chain attack without any visible diff change. This is especially notable because tj-actions/changed-files was previously compromised in a widely-reported supply chain attack (CVE-2025-30066) where the action was modified to exfiltrate CI/CD secrets. The recommended mitigation is to pin to a full commit SHA (e.g., `tj-actions/changed-files@<40-char-sha>`) and verify it against a known-good release.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[sandeshkr419]

@andrross @cwperks

Can't get the gradle check to run because of:

Run PROMPT=$(cat <<-EOF
Processing AI results
-------------------------------------------------------
{
  "counts": {
    "total": 1,
    "critical": 0,
    "high": 0,
    "medium": 1,
    "low": 0
  },
  "truncated": false,
  "issues": [
    {
      "path": ".github/workflows/gradle-check.yml",
      "line": 27,
      "severity": "medium",
      "description": "The `tj-actions/changed-files` action is pinned by a mutable tag (`v47.0.5`) rather than an immutable commit SHA. This action was previously compromised in a well-documented supply chain attack (CVE-2025-30066), making it a higher-risk dependency. A tag can be silently repointed to a different, potentially malicious commit without any visible change in the workflow file. Best practice is to pin to a full commit SHA (e.g., `tj-actions/changed-files@<sha>`) to guarantee immutability."
    }
  ]
}
-------------------------------------------------------
Start issue count
Issue Count: Total(1), Critical(0), High(0), Medium(1), Low(0)
-------------------------------------------------------
Diff analyzer found issues, generating report
0s
Run echo "DIFF_ANALYZER_LEVELS=2" >> $GITHUB_OUTPUT
Diff analyzer has found issues in the code changes per AI Analysis
Hard fail diff analyzer at level 2
Error: Process completed with exit code 1.

So I have added skip-diff-analyzer for now.
This is a minor version bump which I think should be safe to merge without full gradle check. Also, we are pretty far away from next release date to take a calculated risk - if things break, we'll revert. Not an advocate on this practice, but should be fine for this instance.

If you'd refer to tagged version section in GHSA-mrrh-fwg8-r2c3:

If you are using tagged versions (e.g., v35, v44.5.1), no action is required as these tags have been updated and are now safe to use.

Please feel free to approve/merge if you don't have any thoughts otherwise.

[andrross]

@sandeshkr419 The Gradle check jenkins job is skipped in certain cases, such as the only changes being in .github/*:

OpenSearch/.github/workflows/gradle-check.yml

Line 31 in 383dcc8

.github/**