Skip to main content

Proactive Security Response - GitHub Actions Supply Chain Attack

· 4 min read
Lea Anthony
Security Shield

TL;DR

Good news! Wails was NOT affected by this security incident. Our thorough investigation confirmed that no secrets were leaked, and the Wails codebase and releases remain completely secure. We've already taken proactive measures to further strengthen our security posture.

Introduction

On 15th March 2025 (AEST), the Wails team was alerted to a security incident involving the tj-actions/changed-files GitHub Action. This widely-used action (with over 23,000 repositories depending on it) was compromised in a supply chain attack. While this action was used in some of our CI/CD workflows, we're pleased to confirm that Wails remained fully protected throughout.

This post shares the details of the incident, our response, and the additional safeguards we've implemented to ensure the continued security of the Wails project.

Incident Details

The security company StepSecurity reported that the tj-actions/changed-files GitHub Action was compromised beginning around 9:00 AM March 14th, 2025 Pacific Time (4:00 PM UTC).

In this attack, malicious code was injected into the action that attempted to dump CI/CD secrets from GitHub Actions runner processes into public logs. The attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit.

Our Proactive Assessment

Upon learning this, we immediately launched a comprehensive assessment of our systems:

  1. We identified the following Wails workflows that were using the action:

    • For Wails v2: pr-v2.yml and upload-source-documents.yml
    • For Wails v3: pr-v3.yml, publish-npm.yml, and upload-source-documents.yml

  2. Our security team conducted a thorough review of all workflow logs for the affected actions during the time period of the compromise.

  3. We're happy to confirm that no secrets were leaked in any of our workflow logs, and the Wails codebase remained completely secure.

Action Taken

We took immediate steps to address this situation:

  1. We swiftly replaced all instances of the affected tj-actions/changed-files action with the secure alternative step-security/changed-files provided by StepSecurity.

  2. As an extra precautionary measure, we temporarily removed all secrets from our GitHub Actions workflows.

What This Means for You

We want to reassure our community that:

  1. The Wails codebase was never compromised in any way.
  2. No malicious code was introduced into any Wails releases.
  3. This situation only potentially affected our CI/CD pipeline, not the actual Wails source code or releases.
  4. No sensitive information or secrets were exposed during this time.

In short: All Wails releases remain secure and trustworthy, and no action is required on your part.

Strengthening Our Security Posture

To minimise exposure to similar potential incidents in the future, we're enhancing our security practices by:

  1. Implementing stricter version pinning for all third-party actions used in our workflows, preferably pinning to specific commit hashes rather than version tags.

  2. Establishing a regular security review process for our CI/CD pipelines and dependencies.

  3. Exploring the use of additional security tools like StepSecurity's Harden-Runner to provide enhanced protection for our GitHub Actions workflows.

  4. Developing a more comprehensive security incident response plan to ensure we can respond quickly and effectively to any future security concerns.

It's worth noting that the Wails project already employs several security tools as part of our development process:

  • Semgrep: We use Semgrep for static code analysis to identify potential security vulnerabilities and code quality issues.
  • Snyk: We employ Snyk to continuously monitor our dependencies for known vulnerabilities and receive alerts when security patches are needed.

These existing security measures, combined with our enhanced preventative steps, demonstrate our ongoing commitment to maintaining the security and integrity of the Wails project.

Moving Forward

The security of the Wails project and the trust of our community are our highest priorities. We remain committed to transparency and will continue to promptly address any security concerns that arise.

We would like to thank StepSecurity for their quick response in identifying this issue and providing a secure alternative action.

If you have any questions or concerns about this, please don't hesitate to reach out to us on GitHub or Discord. We're always here to help.