Skip to content

Bump tj-actions/changed-files from 47.0.4 to 47.0.5#20801

Merged
andrross merged 2 commits intomainfrom
dependabot/github_actions/tj-actions/changed-files-47.0.5
Mar 10, 2026
Merged

Bump tj-actions/changed-files from 47.0.4 to 47.0.5#20801
andrross merged 2 commits intomainfrom
dependabot/github_actions/tj-actions/changed-files-47.0.5

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 9, 2026

Bumps tj-actions/changed-files from 47.0.4 to 47.0.5.

Release notes

Sourced from tj-actions/changed-files's releases.

v47.0.5

What's Changed

Full Changelog: tj-actions/changed-files@v47.0.4...v47.0.5

Changelog

Sourced from tj-actions/changed-files's changelog.

47.0.5 - (2026-03-03)

🔄 Update

  • Updated README.md (#2805)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (35dace0) - (github-actions[bot])

  • Updated README.md (#2803)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (9ee99eb) - (github-actions[bot])

⚙️ Miscellaneous Tasks

  • deps-dev: Bump @​types/node from 25.3.2 to 25.3.3 (#2814) (22103cc) - (dependabot[bot])
  • deps: Bump github/codeql-action from 4.32.4 to 4.32.5 (#2815) (6c02e90) - (dependabot[bot])
  • deps-dev: Bump eslint-plugin-prettier from 5.5.4 to 5.5.5 (#2764) (05f9457) - (dependabot[bot])
  • deps: Bump lodash and @​types/lodash (#2807) (52ed872) - (dependabot[bot])
  • deps: Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#2774) (1cc5746) - (dependabot[bot])
  • deps-dev: Bump prettier from 3.7.4 to 3.8.1 (#2775) (de2962f) - (dependabot[bot])
  • deps: Bump github/codeql-action from 4.32.2 to 4.32.4 (#2806) (37e96cc) - (dependabot[bot])
  • deps-dev: Bump eslint-plugin-jest from 29.12.1 to 29.15.0 (#2799) (2180b0f) - (dependabot[bot])
  • deps: Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2809) (cf021c1) - (dependabot[bot])
  • deps: Bump actions/download-artifact from 7.0.0 to 8.0.0 (#2810) (b54ac6f) - (dependabot[bot])
  • deps-dev: Bump @​types/node from 25.2.2 to 25.3.2 (#2811) (0f2a510) - (dependabot[bot])

⬆️ Upgrades

  • Upgraded to v47.0.4 (#2802)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (b7ac303) - (github-actions[bot])

Commits
  • 22103cc chore(deps-dev): bump @​types/node from 25.3.2 to 25.3.3 (#2814)
  • 6c02e90 chore(deps): bump github/codeql-action from 4.32.4 to 4.32.5 (#2815)
  • 05f9457 chore(deps-dev): bump eslint-plugin-prettier from 5.5.4 to 5.5.5 (#2764)
  • 52ed872 chore(deps): bump lodash and @​types/lodash (#2807)
  • 1cc5746 chore(deps): bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#2774)
  • de2962f chore(deps-dev): bump prettier from 3.7.4 to 3.8.1 (#2775)
  • 37e96cc chore(deps): bump github/codeql-action from 4.32.2 to 4.32.4 (#2806)
  • 2180b0f chore(deps-dev): bump eslint-plugin-jest from 29.12.1 to 29.15.0 (#2799)
  • cf021c1 chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2809)
  • b54ac6f chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 (#2810)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump tj-actions/changed-files from 47.0.4 to 47.0.5
fcc039d 
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 47.0.4 to 47.0.5.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@v47.0.4...v47.0.5)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-version: 47.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependabot PRs with auto version bumps from dependabot dependencies Pull requests that update a dependency file patch labels Mar 9, 2026
@dependabot dependabot bot requested review from a team, jed326 and peternied as code owners March 9, 2026 14:47
@dependabot dependabot bot added patch dependencies Pull requests that update a dependency file dependabot PRs with auto version bumps from dependabot labels Mar 9, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2026

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit fcc039d.

PathLineSeverityDescription
.github/workflows/gradle-check.yml27highUpdates tj-actions/changed-files from v47.0.4 to v47.0.5 using a mutable tag rather than a pinned commit SHA. The tj-actions/changed-files action was the subject of a documented supply chain compromise in March 2025 (CVE-2025-30066), where attackers pushed malicious code to existing version tags to exfiltrate CI/CD secrets (GITHUB_TOKEN, repository secrets) via workflow logs. Bumping to an unpinned tag on a previously compromised action is high-risk: the tag could be silently redirected to a malicious commit. Best practice is to pin to a specific, audited commit SHA (e.g., uses: tj-actions/changed-files@) and verify the SHA against the official release.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 1 | Medium: 0 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@dependabot
Update changelog
d85fd1b 
Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2026

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

PathLineSeverityDescription
.github/workflows/gradle-check.yml27mediumThe `tj-actions/changed-files` action is pinned to a mutable version tag (`v47.0.5`) rather than an immutable commit SHA. This action was the subject of a confirmed supply chain attack (CVE-2025-30066) in which malicious code was injected into multiple versions of the action to exfiltrate CI secrets from runner environments. Using a floating tag means the referenced code can be silently swapped without any change to this file. The version being bumped to (v47.0.5) falls within the range of versions that were flagged during that incident window. Recommend pinning to a verified commit SHA (e.g., `uses: tj-actions/changed-files@`) to prevent exposure if the tag is later tampered with.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2026

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

PathLineSeverityDescription
.github/workflows/gradle-check.yml27mediumBumping `tj-actions/changed-files` to v47.0.5 warrants verification. This action was the subject of a known supply chain attack (CVE-2025-30066) in which multiple version tags were retroactively rewritten to inject malicious code that exfiltrated CI/CD secrets. While v47.0.5 was released as part of post-incident remediation and is expected to be safe, the version bump should be validated against the commit SHA rather than a mutable tag to rule out any tag re-pointing.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@sandeshkr419 sandeshkr419 added skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. and removed patch skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. labels Mar 9, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2026

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

PathLineSeverityDescription
.github/workflows/gradle-check.yml27mediumThe `tj-actions/changed-files` action is pinned by a mutable tag (`v47.0.5`) rather than an immutable commit SHA. This action was previously compromised in a well-documented supply chain attack (CVE-2025-30066), making it a higher-risk dependency. A tag can be silently repointed to a different, potentially malicious commit without any visible change in the workflow file. Best practice is to pin to a full commit SHA (e.g., `tj-actions/changed-files@`) to guarantee immutability.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@sandeshkr419 sandeshkr419 added skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. skip-diff-reviewer Maintainer to skip code-diff-reviewer check, after reviewing issues in AI analysis. and removed skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. labels Mar 10, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 10, 2026

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit d85fd1b.

PathLineSeverityDescription
.github/workflows/gradle-check.yml27mediumThe `tj-actions/changed-files` action is pinned by a mutable version tag (v47.0.5) rather than an immutable commit SHA. Tags can be silently reassigned by the upstream maintainer or an attacker who gains repo access, enabling a supply chain attack without any visible diff change. This is especially notable because tj-actions/changed-files was previously compromised in a widely-reported supply chain attack (CVE-2025-30066) where the action was modified to exfiltrate CI/CD secrets. The recommended mitigation is to pin to a full commit SHA (e.g., `tj-actions/changed-files@<40-char-sha>`) and verify it against a known-good release.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 1 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@sandeshkr419 sandeshkr419 added skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. and removed skip-diff-reviewer Maintainer to skip code-diff-reviewer check, after reviewing issues in AI analysis. labels Mar 10, 2026
@sandeshkr419
Copy link
Member

sandeshkr419 commented Mar 10, 2026
edited
Loading

@andrross @cwperks

Can't get the gradle check to run because of:

Run PROMPT=$(cat <<-EOF
Processing AI results
-------------------------------------------------------
{
  "counts": {
    "total": 1,
    "critical": 0,
    "high": 0,
    "medium": 1,
    "low": 0
  },
  "truncated": false,
  "issues": [
    {
      "path": ".github/workflows/gradle-check.yml",
      "line": 27,
      "severity": "medium",
      "description": "The `tj-actions/changed-files` action is pinned by a mutable tag (`v47.0.5`) rather than an immutable commit SHA. This action was previously compromised in a well-documented supply chain attack (CVE-2025-30066), making it a higher-risk dependency. A tag can be silently repointed to a different, potentially malicious commit without any visible change in the workflow file. Best practice is to pin to a full commit SHA (e.g., `tj-actions/changed-files@<sha>`) to guarantee immutability."
    }
  ]
}
-------------------------------------------------------
Start issue count
Issue Count: Total(1), Critical(0), High(0), Medium(1), Low(0)
-------------------------------------------------------
Diff analyzer found issues, generating report
0s
Run echo "DIFF_ANALYZER_LEVELS=2" >> $GITHUB_OUTPUT
Diff analyzer has found issues in the code changes per AI Analysis
Hard fail diff analyzer at level 2
Error: Process completed with exit code 1.

So I have added skip-diff-analyzer for now.
This is a minor version bump which I think should be safe to merge without full gradle check. Also, we are pretty far away from next release date to take a calculated risk - if things break, we'll revert. Not an advocate on this practice, but should be fine for this instance.

If you'd refer to tagged version section in GHSA-mrrh-fwg8-r2c3:

If you are using tagged versions (e.g., v35, v44.5.1), no action is required as these tags have been updated and are now safe to use.

Please feel free to approve/merge if you don't have any thoughts otherwise.

@sandeshkr419 sandeshkr419 mentioned this pull request Mar 10, 2026
Merged
1 task
@andrross
Copy link
Member

andrross commented Mar 10, 2026

@sandeshkr419 The Gradle check jenkins job is skipped in certain cases, such as the only changes being in .github/*:

OpenSearch/.github/workflows/gradle-check.yml

Line 31 in 383dcc8

.github/**

@andrross andrross merged commit ea95b6c into main Mar 10, 2026
94 of 98 checks passed
@sandeshkr419 sandeshkr419 deleted the dependabot/github_actions/tj-actions/changed-files-47.0.5 branch March 10, 2026 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrross andrross andrross approved these changes

@sandeshkr419 sandeshkr419 sandeshkr419 approved these changes

@jed326 jed326 Awaiting requested review from jed326 jed326 is a code owner

@peternied peternied Awaiting requested review from peternied peternied is a code owner

Assignees

No one assigned

Labels

dependabot PRs with auto version bumps from dependabot dependencies Pull requests that update a dependency file skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sandeshkr419 @andrross