Re: [tractusx-dev] GitHub Actions -> mutable versions -> immutable versi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tractusx-dev] GitHub Actions -> mutable versions -> immutable versions

From: Stephan Bauer <stephan.bauer@xxxxxxxxxxxx>
Date: Sat, 20 Jun 2026 08:15:51 +0000
Accept-language: de-DE, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=catena-x.net; dmarc=pass action=none header.from=catena-x.net; dkim=pass header.d=catena-x.net; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=srzbqwcy8wQCkwFP78IiRE1u6EIxP2uMre85YFKlyeU=; b=KkbbPVEaWdcJPRReMntLDE6Z/MoiGzxtS3VTUfo04Ocg+eh5Vue/W+s7uuySWz1uLkjsNyrIAp+UnK7CbzSfqB0hRqi2lNUB8xWvK1KgLQs4K/gQx6p/9rjnTUy3qio0N4+DT+6xyyDZ0VDw9KzxGw5p91cuGJbyyfDveLQkbcPgvufkURjcZw7bxjJZi9tppnk7ruHOAEM39fnjgIOUICkyiYZKf6UECU4GRZy0hzAuGScvyRPhcwzlKk8IuLx9S01k546zhNzqXYArvk2KxGC5i6kNP3omfD+zOBz+WxtN/84eWGiXGgz669jX/O7sM0dgZE7+1HAZLCnz+yZvmw==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rFmptcqueK6YAWTgsCHD7YglaqQylnZIIlkbG7N7wmT7vHcgoFJMAQmAmzvvVTctQ7g7JVYB/32mxyfvIV0D4nQ1ZOsAxqqc5pOoP3qt4h+k9x5cFsJ1jBWGQRhfrB+TsrYwQfazRFsKrK01rvpiYCBurqddc0VQfmPSGAvZSX0Rm+2oYQXjmg4XPvl/V5D/RmmSK0DN/5dB12UV3zosvkNJ0q1DeQe8cwJxCdAmmgMbP+KcQb1wgTOBoRtEOhqyu704YkM/gf8mt1Ny7fpNhZh0YXADtRlpI6JI1peb4vm6YmCjjIF3YHhN6+NVfoadw4s0X54DHMnqhn565DjEEg==
Delivered-to: tractusx-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/tractusx-dev/>
List-help: <mailto:tractusx-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHdAI0Ca3NFjKA3N0OG4bjxxLFV7A==
Thread-topic: [tractusx-dev] GitHub Actions -> mutable versions -> immutable versions

Dear community,

As discussed in the office hour, I opened a view PRs on several repositories. Since I opened them, I am not able to approve them. Here we need you.

Every one of these PRs replaces mutable version tags (@v4, @master, @main) with 40-character immutable commit SHAs, including a human-readable comment for easier maintenance (e.g., uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2).

Every PR needs to be checked, of course there could be some errors. I tried just to replace the versions … didn’t do an upgrade or something else. It’s in the responsibility of the committer to take care about maintenance of the repositories.

In case the PRs are not approved/adapted, tis might be a sign, that no-one feels responsible -> in this case, this would mean the repository is not needed anymore and it is not maintained -> we would have to deprecate the repository.

Thank you and have a nice weekend.

BTW we also introduced a reusable trivy action in sig-infra

Repository	PR
Traceability FOSS	#1493
Item Relationship Service	#1014
SLDT Digital Twin Registry	#613
SLDT Discovery Finder	#205
SLDT Semantic Hub	#326
SLDT Semantic Models	#980
SLDT BPN Discovery	#195
SSI DIM Wallet Stub	#110
SSI Credential Issuer	#470
Managed Service Orchestrator	#200
Managed Simple Data Exchanger	#60
Simple Data Exchanger Backend	#238
Simple Data Exchanger Frontend	#207
Self-Description Factory	#262
Tractus-X SDK	#231
Identity Hub	#310
Portal (Backend/UI)	#571
SIG Infrastructure	#576
BPN DID Resolution Service	#463
Helm Charts	#150
Tractus-X Umbrella	#1665
Release Automation	#413
Tractus-X Website	#1559
SIG Release	#50
SIG Architecture	#19
Tractus-X Profiles	#26
EDC Kafka Extension	#126
Tutorial Resources	#15
Data Exchange Test Service	#40

Stephan

Stephan Bauer

Eclipse Tractus-X Project Lead

From: tractusx-dev <tractusx-dev-bounces@xxxxxxxxxxx> on behalf of Mathias Brunkow Moser via tractusx-dev <tractusx-dev@xxxxxxxxxxx>
Date: Friday, 20. March 2026 at 15:19
To: tractusx developer discussions <tractusx-dev@xxxxxxxxxxx>
Cc: Mathias Brunkow Moser <mathias.moser@xxxxxxxxxxxx>
Subject: [tractusx-dev] Trivy & Trivy

Dear Eclipse Tractus-X Community,

We have disabled all the Trivy github actions.

There was an attack which was executed not long ago in the trivy version 0.69.4.

Can be found here:

https://opensourcemalware.com/repository/https%3A%2F%2Fgithub.com%2Faquasecurity%2Ftrivy%2F

Apparently, it may affect us, so we as committers have decided to be cautious and disable all the Trivy workflows in GITHUB. Until we can confirm if we’re affected or not. Please also check if you have a "fork" if you have executed it with this version or the trivy-actions without the hash.

Here is the story:

https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release#what-happened

Remember when we said you **must** indicate the commit hash into the workflow. THIS was one of the reasons why. However we have identified that this rule was not followed in several repositories.

What we have not yet identified if we are affected (which did not specify a hashed version) or if there was a run of trivy since monday which was executed via "trivy-actions" which contained a version with malware.

We have informed the eclipse foundation via Help Desk already: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/7297 (private issue)

We have identified that the following repositories are not using the “hashed” workflow version (which may have run since monday a version with the malware):

We have check most and it looks like it has not happened, but we still need to check it deeper.

Also archived repos have no hash, but they are out of scope:

So, this is a call for all committers to NOT enable their Trivy workflow GitHub Actions until we have sorted this out, discussed a way forward and estimated the impact.

Please make sure to update your workflows in the future to use the “hash” and not the “version” of a package, not only for Trivy example:

https://github.com/eclipse-tractusx/industry-core-hub/blob/809b95d8b35751339528688f80fc86381e2b329e/.github/workflows/trivy.yml#L53

Since in this way if the tag is replaced by an attacker, they still will never be able to replace the git commit.

Please take a look on your forks and see if you are also affected in your organization, also internally. Since the impact observed is that the GitHub Actions Secrets may have been leaked.

Thank you for all the persons which supported us and reported this vulnerability.

Stay safe,

Your Eclipse Tractus-X Project Leads

References:
- [tractusx-dev] Trivy & Trivy
  - From: Mathias Brunkow Moser

Prev by Date: [tractusx-dev] Eclipse Tractus-X Release 26.06 - DONE ; ) - THANK YOU
Next by Date: [tractusx-dev] Action Required: Kubernetes New Release (1.36.2)
Previous by thread: [tractusx-dev] Trivy & Trivy
Next by thread: [tractusx-dev] Action Required: Kubernetes New Release (1.35.3)
Index(es):
- Date
- Thread

Breadcrumbs