A series of high-profile supply chain attacks targeted popular GitHub Actions such as TJ-Actions and ReviewDog, injecting malicious code to try and exfiltrate secrets via workflow logs. These compromises shed light on critical CI/CD vulnerabilities impact and emphasized the need for robust mitigation strategies.

I’ll dive into the details of these incidents, walking through how they unfolded, the measures taken by GitHub Field Services in response, and how you can proactively secure your Action when a similar attack will be performed again, against an action package you use.

I’ll cover investigative approaches using GitHub's Dependabot Alerts, Dependency Insights, Audit Logs, Code Search, and other tools to identify impacted workflows and pinpoint leaks.
Beyond immediate response measures - such as secret rotation and access revocation - I'll focus on actionable, long-term steps for hardening the supply chain of your open source project on GitHub.

- Maintainer Summit KubeCon EU 2025