This is not a Renovate issue per se, but I'm posting this here for maximum visibility.
-
An attacker had enough access to the tj-actions/changed-files repo to be able to configure/reconfigure tags somehow
-
The attacker added malicious code to their fork of the repo, and chose to spoof Renovate as the committer, potentially because it was a Renovate commit which was the most recent commit in the repo. GitHub has always allowed git commits to be spoofed - it's a known feature/limitation depending on who you ask
-
Important: this spoofing of commits wasn't done to "trick" a maintainer into accepting any PR, instead it was just to obfuscate it a little. It was an orphan commit and not on top of main or any other branch
-
As you'd expect, the commit showed up as Unverified, although if we're being realistic, most people don't look at that or enforce signed commits only (the real bot signs its commits)
-
Kind of unrelated, but the "real" Renovate Bot - just like Dependabot presumably - then started proposing PRs to update the action, like it does any other outdated dependency
-
Some people had automerging of such updates enabled, but this is not Renovate's default behavior. Even without automerging, an action like this might be able to achieve its aim only with a PR, if it's run as part of PR builds
-
This incident has reminded that many people mistakenly assume that git tags are immutable, especially if they are in semver format. Although it's rare for such tags to be changed, they are not immutable by design
This is not a Renovate issue per se, but I'm posting this here for maximum visibility.
An attacker had enough access to the tj-actions/changed-files repo to be able to configure/reconfigure tags somehow
The attacker added malicious code to their fork of the repo, and chose to spoof Renovate as the committer, potentially because it was a Renovate commit which was the most recent commit in the repo. GitHub has always allowed git commits to be spoofed - it's a known feature/limitation depending on who you ask
Important: this spoofing of commits wasn't done to "trick" a maintainer into accepting any PR, instead it was just to obfuscate it a little. It was an orphan commit and not on top of main or any other branch
As you'd expect, the commit showed up as Unverified, although if we're being realistic, most people don't look at that or enforce signed commits only (the real bot signs its commits)
Kind of unrelated, but the "real" Renovate Bot - just like Dependabot presumably - then started proposing PRs to update the action, like it does any other outdated dependency
Some people had automerging of such updates enabled, but this is not Renovate's default behavior. Even without automerging, an action like this might be able to achieve its aim only with a PR, if it's run as part of PR builds
This incident has reminded that many people mistakenly assume that git tags are immutable, especially if they are in semver format. Although it's rare for such tags to be changed, they are not immutable by design