Security: Compromise of reviewdog/action-setup@v1

[joschi]

https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

Wiz Research has discovered an additional supply chain attack on reviewdog/action-setup@v1, that may have contributed to the compromise of tj-actions/changed-files. At this point we believe this is a chain of supply chain attacks eventually leading to a specific high-value target.

You are certainly aware of this article and the issue.

Is there any way to track the incident? I haven't seen anything in the Security tab in this repository.

[haya14busa]

There is a security advisory report at https://github.com/reviewdog/reviewdog/security but it's still draft state.
I was working on fixing potential issues and it's mostly done.

I'll create an issue or something to share the status after getting some rest.

For the time being, I believe most users can read the wiz blog post as to what users should do.

[aviadhahami]

@haya14busa - thank you for the quick response!
Did you manage to rotate all your tokens & secrets as well? :)

[haya14busa]

I posted an issue on reviedog repo. reviewdog/reviewdog#2079

Did you manage to rotate all your tokens & secrets as well? :)

Yes! Thanks for checking.