|
| 1 | +--- |
| 2 | +slug: security-incident-response-march-2025 |
| 3 | +title: Proactive Security Response - GitHub Actions Supply Chain Attack |
| 4 | +authors: [leaanthony] |
| 5 | +tags: [wails, security] |
| 6 | +--- |
| 7 | + |
| 8 | +<div class="text--center"> |
| 9 | + <img |
| 10 | + src={require("@site/static/img/blog/shield.png").default} |
| 11 | + width="150" |
| 12 | + alt="Security Shield" |
| 13 | + /> |
| 14 | +</div> |
| 15 | +<br /> |
| 16 | + |
| 17 | +:::note TL;DR |
| 18 | +**Good news! Wails was NOT affected by this security incident.** Our thorough investigation confirmed that no secrets were leaked, and the Wails codebase and releases remain completely secure. We've already taken proactive measures to further strengthen our security posture. |
| 19 | +::: |
| 20 | + |
| 21 | +## Introduction |
| 22 | + |
| 23 | +On 15th March 2025 (AEST), the Wails team was alerted to a security incident involving the `tj-actions/changed-files` GitHub Action. This widely-used action (with over 23,000 repositories depending on it) was compromised in a supply chain attack. While this action was used in some of our CI/CD workflows, we're pleased to confirm that Wails remained fully protected throughout. |
| 24 | + |
| 25 | +This post shares the details of the incident, our response, and the additional safeguards we've implemented to ensure the continued security of the Wails project. |
| 26 | + |
| 27 | +## Incident Details |
| 28 | + |
| 29 | +The security company StepSecurity [reported](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) that the `tj-actions/changed-files` GitHub Action was compromised beginning around 9:00 AM March 14th, 2025 Pacific Time (4:00 PM UTC). |
| 30 | + |
| 31 | +In this attack, malicious code was injected into the action that attempted to dump CI/CD secrets from GitHub Actions runner processes into public logs. The attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit. |
| 32 | + |
| 33 | +## Our Proactive Assessment |
| 34 | + |
| 35 | +Upon learning this, we immediately launched a comprehensive assessment of our systems: |
| 36 | + |
| 37 | +1. We identified the following Wails workflows that were using the action: |
| 38 | + - For Wails v2: `pr-v2.yml` and `upload-source-documents.yml` |
| 39 | + - For Wails v3: `pr-v3.yml`, `publish-npm.yml`, and `upload-source-documents.yml` |
| 40 | + |
| 41 | +2. Our security team conducted a thorough review of all workflow logs for the affected actions during the time period of the compromise. |
| 42 | + |
| 43 | +3. We're happy to confirm that **no secrets were leaked** in any of our workflow logs, and the Wails codebase remained completely secure. |
| 44 | + |
| 45 | +## Action Taken |
| 46 | + |
| 47 | +We took immediate steps to address this situation: |
| 48 | + |
| 49 | +1. We swiftly replaced all instances of the affected `tj-actions/changed-files` action with the secure alternative `step-security/changed-files` provided by StepSecurity. |
| 50 | + |
| 51 | +2. As an extra precautionary measure, we temporarily removed all secrets from our GitHub Actions workflows. |
| 52 | + |
| 53 | +## What This Means for You |
| 54 | + |
| 55 | +We want to reassure our community that: |
| 56 | + |
| 57 | +1. The Wails codebase was never compromised in any way. |
| 58 | +2. No malicious code was introduced into any Wails releases. |
| 59 | +3. This situation only potentially affected our CI/CD pipeline, not the actual Wails source code or releases. |
| 60 | +4. No sensitive information or secrets were exposed during this time. |
| 61 | + |
| 62 | +**In short: All Wails releases remain secure and trustworthy, and no action is required on your part.** |
| 63 | + |
| 64 | +## Strengthening Our Security Posture |
| 65 | + |
| 66 | +To minimise exposure to similar potential incidents in the future, we're enhancing our security practices by: |
| 67 | + |
| 68 | +1. Implementing stricter version pinning for all third-party actions used in our workflows, preferably pinning to specific commit hashes rather than version tags. |
| 69 | + |
| 70 | +2. Establishing a regular security review process for our CI/CD pipelines and dependencies. |
| 71 | + |
| 72 | +3. Exploring the use of additional security tools like StepSecurity's Harden-Runner to provide enhanced protection for our GitHub Actions workflows. |
| 73 | + |
| 74 | +4. Developing a more comprehensive security incident response plan to ensure we can respond quickly and effectively to any future security concerns. |
| 75 | + |
| 76 | +It's worth noting that the Wails project already employs several security tools as part of our development process: |
| 77 | + |
| 78 | +- **Semgrep**: We use Semgrep for static code analysis to identify potential security vulnerabilities and code quality issues. |
| 79 | +- **Snyk**: We employ Snyk to continuously monitor our dependencies for known vulnerabilities and receive alerts when security patches are needed. |
| 80 | + |
| 81 | +These existing security measures, combined with our enhanced preventative steps, demonstrate our ongoing commitment to maintaining the security and integrity of the Wails project. |
| 82 | + |
| 83 | +## Moving Forward |
| 84 | + |
| 85 | +The security of the Wails project and the trust of our community are our highest priorities. We remain committed to transparency and will continue to promptly address any security concerns that arise. |
| 86 | + |
| 87 | +We would like to thank StepSecurity for their quick response in identifying this issue and providing a secure alternative action. |
| 88 | + |
| 89 | +If you have any questions or concerns about this, please don't hesitate to reach out to us on [GitHub](https://github.com/wailsapp/wails) or [Discord](https://discord.gg/JDdSxwjhGf). We're always here to help. |
0 commit comments