potiuk opened a new issue, #5455:
URL: https://github.com/apache/linkis/issues/5455
Heads-up from ASF Infra. `.github/workflows/auto-comment.yml` uses
`actions-cool/issues-helper@v3`:
```yaml
- name: Create comment
uses: actions-cool/issues-helper@v3
```
**What happened.** On 2026-05-18, an attacker moved every tag of
`actions-cool/issues-helper` (and `actions-cool/maintain-one-comment`) to an
imposter commit that reads runner memory to harvest CI/CD secrets and
exfiltrates them ([StepSecurity
advisory](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials)).
GitHub TOS-blocked the repo on 2026-05-19, so `@v3` no longer resolves -- this
step now fails to fetch the action.
**Good news -- no exposure here.** I checked this workflow's run history: it
had **no runs** during the ~5-hour window the action was malicious (2026-05-18
19:10 -> 2026-05-19 00:33 UTC), so no secrets were exposed and no rotation is
needed on that evidence.
**Action needed.** The step is now dead and should be removed or replaced. A
safe drop-in is `actions/github-script` (in the always-allowed `actions/*`
namespace, so no ASF allow-list change needed) -- it can post the same welcome
comment via the REST API.
Happy to send a PR if useful. This action was also removed from the ASF
org-wide allow list in apache/infrastructure-actions#1035.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]