tj-actions/changed-files, has been compromised with a payload that appears to attempt to dump secrets, impacting thousands of CI pipelines.
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromi...
https://www.upwind.io/feed/github-actions-supply-chain-compromise-tj-actions-changed-files-action
