Skip to content

[GHSA-mrrh-fwg8-r2c3] tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. #6609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
asrar-mared wants to merge 2 commits into from
Closed

[GHSA-mrrh-fwg8-r2c3] tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. #6609

asrar-mared wants to merge 2 commits into from

Conversation

@asrar-mared
Copy link

@asrar-mared asrar-mared commented Jan 4, 2026

Updates

  • CVSS v3
  • Severity

Comments

๐Ÿšจ ุชู†ุจูŠู‡ ุฃู…ู†ูŠ ุญุฑุฌ - ู‡ุฌูˆู… ุณู„ุณู„ุฉ ุงู„ุชูˆุฑูŠุฏ

tj-actions/changed-files - Supply Chain Attack

โš ๏ธ ุฎุทุฑ ุญุฑุฌ | CRITICAL DANGER โš ๏ธ

ุฃู†ุช ูˆู‚ุนุช ููŠ ูุฎ ุฃู…ู†ูŠ ุฎุทูŠุฑ!
You've been compromised!

๐ŸŽฏ ุฃู†ุช ุงู„ุขู† ู‡ุฏู | You Are Now a Target

โšก ุชุตุฑู ููˆุฑุงู‹ - ู„ุง ูˆู‚ุช ู„ู„ุชุฃุฎูŠุฑ

๐Ÿ”ด ู…ุณุชูˆู‰ ุงู„ุฎุทูˆุฑุฉ: ุญุฑุฌ ุฌุฏุงู‹ | CRITICAL
๐Ÿ”ด ุงู„ุชุฃุซูŠุฑ: ุชุณุฑูŠุจ ุงู„ุฃุณุฑุงุฑ | Secrets Exposed
๐Ÿ”ด ุงู„ู†ุทุงู‚: 23,000+ ู…ุณุชูˆุฏุน | 23,000+ Repositories
๐Ÿ”ด ุงู„ูุชุฑุฉ: 14-15 ู…ุงุฑุณ 2025 | March 14-15, 2025

๐Ÿ’€ ู…ุงุฐุง ุญุฏุซุŸ | What Happened?

ู‡ุฌูˆู… ุณู„ุณู„ุฉ ุงู„ุชูˆุฑูŠุฏ | Supply Chain Attack

ุชู… ุงุฎุชุฑุงู‚ tj-actions/changed-files ูˆุงุณุชุจุฏุงู„ ุงู„ูƒูˆุฏ ุจุณูƒุฑูŠุจุช ุฎุจูŠุซ!

# ุงู„ูƒูˆุฏ ุงู„ุฎุจูŠุซ ูƒุงู† ูŠูุนู„ ู‡ุฐุง:
1. ูŠู‚ุฑุฃ ุฐุงูƒุฑุฉ GitHub Runner
2. ูŠุณุชุฎุฑุฌ ุฌู…ูŠุน ุงู„ุฃุณุฑุงุฑ (Secrets)
3. ูŠุทุจุนู‡ุง ููŠ logs ุงู„ุนู„ู†ูŠุฉ
4. ูŠุฑุณู„ู‡ุง ู„ู„ู…ู‡ุงุฌู…ูŠู†

๐ŸŽฏ ู…ุง ุชู… ุณุฑู‚ุชู‡ ู…ู†ูƒ:

  • โœ… GitHub Tokens
  • โœ… AWS Access Keys
  • โœ… Database Passwords
  • โœ… API Keys
  • โœ… SSH Private Keys
  • โœ… Docker Credentials
  • โœ… Cloud Service Tokens
  • โœ… ูƒู„ ุดูŠุก ููŠ GITHUB_TOKEN

๐Ÿ”ฅ ุงู„ุฎุทูˆุงุช ุงู„ุนุงุฌู„ุฉ - ู†ูุฐู‡ุง ุงู„ุขู†!

ุงู„ู…ุฑุญู„ุฉ 1๏ธโƒฃ: ุฅูŠู‚ุงู ุงู„ู†ุฒูŠู (5 ุฏู‚ุงุฆู‚)

# 1. ุฃูˆู‚ู ุฌู…ูŠุน Workflows ููˆุฑุงู‹
gh workflow disable --all

# 2. ุงุญุฐู ุงู„ู€ logs ุงู„ู…ูƒุดูˆูุฉ
gh api repos/:owner/:repo/actions/runs --paginate \
  | jq -r '.workflow_runs[].id' \
  | xargs -I {} gh api -X DELETE repos/:owner/:repo/actions/runs/{}

ุงู„ู…ุฑุญู„ุฉ 2๏ธโƒฃ: ุชุบูŠูŠุฑ ูƒู„ ุดูŠุก (10 ุฏู‚ุงุฆู‚)

# ๐Ÿ”ด ุบูŠุฑ ูƒู„ ุงู„ุฃุณุฑุงุฑ IMMEDIATELY

# GitHub Personal Tokens
gh auth refresh -s delete_repo,admin:org

# AWS Keys
aws iam delete-access-key --access-key-id YOUR_KEY

# Database Passwords
# ุงุชุตู„ ุจู‚ุงุนุฏุฉ ุงู„ุจูŠุงู†ุงุช ูˆุบูŠุฑ ูƒู„ ูƒู„ู…ุงุช ุงู„ู…ุฑูˆุฑ

# API Keys
# ุฃุจุทู„ ุฌู…ูŠุน API Keys ููŠ ูƒู„ ุฎุฏู…ุฉ ุชุณุชุฎุฏู…ู‡ุง

ุงู„ู…ุฑุญู„ุฉ 3๏ธโƒฃ: ุชุญุฏูŠุซ ุงู„ูƒูˆุฏ (3 ุฏู‚ุงุฆู‚)

.github/workflows/your-workflow.yml:

# โŒ ุงุญุฐู ู‡ุฐุง ููˆุฑุงู‹
- uses: tj-actions/changed-files@v45

# โœ… ุงุณุชุจุฏู„ู‡ ุจู‡ุฐุง
- uses: tj-actions/[email protected]  # ุฃูˆ ุฃุญุฏุซ
  # ุฃูˆ ุงุณุชุฎุฏู… commit hash ู…ุญุฏุฏ
  # - uses: tj-actions/changed-files@<SAFE_COMMIT_SHA>

๐Ÿ” ูุญุต ุงู„ุถุฑุฑ | Damage Assessment

ุณูƒุฑูŠุจุช ุงู„ูุญุต ุงู„ุณุฑูŠุน

#!/bin/bash
echo "๐Ÿ›ก๏ธ ุฏุฑุน ุฒุงูŠุฏ - ูุญุต ุงู„ุงุฎุชุฑุงู‚"
echo "================================"

# 1. ูุญุต ุงู„ู€ workflow runs ุงู„ู…ุดุจูˆู‡ุฉ
echo "๐Ÿ” ูุญุต workflow runs..."
SUSPICIOUS=$(gh api repos/:owner/:repo/actions/runs \
  --jq '.workflow_runs[] | select(.created_at >= "2025-03-14T00:00:00Z" and .created_at <= "2025-03-16T00:00:00Z") | {id: .id, name: .name, date: .created_at}')

if [ -n "$SUSPICIOUS" ]; then
    echo "โš ๏ธ ุชู… ุงู„ุนุซูˆุฑ ุนู„ู‰ runs ู…ุดุจูˆู‡ุฉ:"
    echo "$SUSPICIOUS"
fi

# 2. ูุญุต ุงุณุชุฎุฏุงู… tj-actions
echo "๐Ÿ” ูุญุต ู…ู„ูุงุช workflow..."
FOUND=$(grep -r "tj-actions/changed-files@v4[0-5]" .github/workflows/)

if [ -n "$FOUND" ]; then
    echo "โŒ ุฎุทุฑ: ุชู… ุงู„ุนุซูˆุฑ ุนู„ู‰ ุงู„ู†ุณุฎุฉ ุงู„ู…ุฎุชุฑู‚ุฉ!"
    echo "$FOUND"
else
    echo "โœ… ู„ุง ุชูˆุฌุฏ ู†ุณุฎ ู…ุฎุชุฑู‚ุฉ"
fi

# 3. ูุญุต ุงู„ู€ logs ุงู„ุนุงู…ุฉ
echo "๐Ÿ” ูุญุต logs ุงู„ุนุงู…ุฉ..."
gh run list --limit 100 | grep "2025-03-1[45]"

echo "================================"

๐Ÿ“Š ุงู„ุชุญู‚ู‚ ู…ู† ุงู„ุชุณุฑูŠุจ | Check for Leaks

ู‡ู„ ุชู… ุชุณุฑูŠุจ ุฃุณุฑุงุฑูƒุŸ

# 1. ูุญุต ุงู„ู€ logs
gh run list --limit 50 --json databaseId,createdAt,conclusion \
  | jq -r '.[] | select(.createdAt >= "2025-03-14T00:00:00Z") | .databaseId' \
  | while read run_id; do
      echo "Checking run $run_id..."
      gh run view $run_id --log | grep -i "secret\|token\|key\|password" && echo "โš ๏ธ LEAKED!"
  done

# 2. ูุญุต ุงู„ู€ artifacts
gh api repos/:owner/:repo/actions/artifacts \
  | jq -r '.artifacts[] | select(.created_at >= "2025-03-14T00:00:00Z")'

๐Ÿ›ก๏ธ ุงู„ุญู…ุงูŠุฉ ุงู„ู…ุณุชู‚ุจู„ูŠุฉ | Future Protection

1๏ธโƒฃ ุชุซุจูŠุช ุงู„ุฅุตุฏุงุฑุงุช ุจู€ SHA

# โŒ ู„ุง ุชุณุชุฎุฏู… tags ุฃุจุฏุงู‹
- uses: tj-actions/changed-files@v46

# โœ… ุงุณุชุฎุฏู… commit SHA ุฏุงุฆู…ุงู‹
- uses: tj-actions/changed-files@a1b2c3d4e5f6...
  # ูŠู…ูƒู† ุฅุถุงูุฉ ุชุนู„ูŠู‚ ู„ู„ุฅุตุฏุงุฑ
  # tj-actions/[email protected]

2๏ธโƒฃ ุญู…ุงูŠุฉ ุงู„ุฃุณุฑุงุฑ

# ุงุณุชุฎุฏู… environments ู…ุน protection rules
jobs:
  build:
    runs-on: ubuntu-latest
    environment: production  # ูŠุญุชุงุฌ ู…ูˆุงูู‚ุฉ ูŠุฏูˆูŠุฉ
    steps:
      - uses: actions/checkout@v4
      
      # ู„ุง ุชุทุจุน ุงู„ุฃุณุฑุงุฑ ุฃุจุฏุงู‹
      - name: Safe secret usage
        env:
          SECRET: ${{ secrets.MY_SECRET }}
        run: |
          # โŒ ู„ุง ุชูุนู„ ู‡ุฐุง
          # echo "Secret: $SECRET"
          
          # โœ… ุงุณุชุฎุฏู…ู‡ ุจุฃู…ุงู†
          echo "Using secret safely..."

3๏ธโƒฃ ู…ุฑุงู‚ุจุฉ ู…ุณุชู…ุฑุฉ

# .github/workflows/security-monitor.yml
name: Security Monitor
on:
  schedule:
    - cron: '0 */6 * * *'  # ูƒู„ 6 ุณุงุนุงุช

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Check for vulnerable actions
        run: |
          # ูุญุต ุงู„ู†ุณุฎ ุงู„ู…ุดุจูˆู‡ุฉ
          grep -r "tj-actions/changed-files@v4[0-5]" .github/workflows/ && exit 1
          
      - name: Audit dependencies
        run: |
          # ูุญุต ุฌู…ูŠุน GitHub Actions ุงู„ู…ุณุชุฎุฏู…ุฉ
          find .github/workflows -name "*.yml" -exec cat {} \; \
            | grep "uses:" \
            | sort -u

๐Ÿ“ ุงู„ุชู‚ุฑูŠุฑ ุงู„ุฃู…ู†ูŠ ุงู„ู…ุทู„ูˆุจ | Required Security Report

ุฅุจู„ุงุบ ุงู„ุฌู‡ุงุช ุงู„ู…ุนู†ูŠุฉ

# ุชู‚ุฑูŠุฑ ุงู„ุญุงุฏุซ ุงู„ุฃู…ู†ูŠ

**ุงู„ุชุงุฑูŠุฎ**: $(date +%Y-%m-%d)
**ุงู„ู…ุดุฑูˆุน**: [ุงุณู… ุงู„ู…ุดุฑูˆุน]
**ุงู„ู…ุณุคูˆู„**: asrar-mared

## ุงู„ุญุงุฏุซ:
ุชุนุฑุถ ุงู„ู…ุดุฑูˆุน ู„ู‡ุฌูˆู… ุณู„ุณู„ุฉ ุชูˆุฑูŠุฏ ุนุจุฑ tj-actions/changed-files
ุจูŠู† 14-15 ู…ุงุฑุณ 2025.

## ุงู„ุชุฃุซูŠุฑ:
- [x] ุชุณุฑูŠุจ ู…ุญุชู…ู„ ู„ู„ุฃุณุฑุงุฑ
- [x] ุชุนุฑุถ GitHub Tokens
- [ ] ุชุณุฑูŠุจ ู…ุคูƒุฏ ู„ู„ุจูŠุงู†ุงุช

## ุงู„ุฅุฌุฑุงุกุงุช ุงู„ู…ุชุฎุฐุฉ:
1. โœ… ุฅูŠู‚ุงู ุฌู…ูŠุน workflows
2. โœ… ุญุฐู logs ุงู„ู…ูƒุดูˆูุฉ
3. โœ… ุชุบูŠูŠุฑ ุฌู…ูŠุน ุงู„ุฃุณุฑุงุฑ
4. โœ… ุชุญุฏูŠุซ ุฅู„ู‰ v46.0.1
5. โœ… ุชุทุจูŠู‚ SHA pinning

## ุงู„ุญุงู„ุฉ ุงู„ุญุงู„ูŠุฉ:
โœ… ุงู„ู†ุธุงู… ุขู…ู† ุงู„ุขู†

## ุงู„ุชูˆุตูŠุงุช:
- ู…ุฑุงุฌุนุฉ ุฏูˆุฑูŠุฉ ู„ู„ู€ actions ุงู„ู…ุณุชุฎุฏู…ุฉ
- ุงุณุชุฎุฏุงู… SHA ุจุฏู„ุงู‹ ู…ู† tags
- ุชูุนูŠู„ 2FA ุนู„ู‰ ุฌู…ูŠุน ุงู„ุญุณุงุจุงุช
- ู…ุฑุงู‚ุจุฉ ู…ุณุชู…ุฑุฉ ู„ู„ุฃู†ุดุทุฉ ุงู„ู…ุดุจูˆู‡ุฉ

๐ŸŽฏ ุฎุทุฉ ุงู„ุงุณุชุฌุงุจุฉ ู„ู„ุญูˆุงุฏุซ | Incident Response Plan

Timeline ุงู„ุนุงุฌู„

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ ุงู„ุขู† โ†’ 5 ุฏู‚ุงุฆู‚                           โ”‚
โ”‚ Stop all workflows                      โ”‚
โ”‚ Delete exposed logs                     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
            โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ 5 โ†’ 15 ุฏู‚ูŠู‚ุฉ                            โ”‚
โ”‚ Rotate ALL secrets                      โ”‚
โ”‚ Revoke ALL tokens                       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
            โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ 15 โ†’ 30 ุฏู‚ูŠู‚ุฉ                           โ”‚
โ”‚ Update workflows to v46.0.1+            โ”‚
โ”‚ Pin to commit SHA                       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
            โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ 30 โ†’ 60 ุฏู‚ูŠู‚ุฉ                           โ”‚
โ”‚ Audit all logs                          โ”‚
โ”‚ Check for unauthorized access           โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
            โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ 1 ุณุงุนุฉ โ†’ 24 ุณุงุนุฉ                        โ”‚
โ”‚ Monitor for suspicious activity         โ”‚
โ”‚ Document incident                       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

๐Ÿ” Checklist ุงู„ู†ู‡ุงุฆูŠ | Final Checklist

ู‚ุจู„ ุงู„ุนูˆุฏุฉ ู„ู„ุนู…ู„ ุงู„ุนุงุฏูŠ:

  • โœ… ุชู… ุฅูŠู‚ุงู ุฌู…ูŠุน workflows
  • โœ… ุชู… ุญุฐู logs ุงู„ู…ูƒุดูˆูุฉ
  • โœ… ุชู… ุชุบูŠูŠุฑ GitHub tokens
  • โœ… ุชู… ุชุบูŠูŠุฑ AWS keys
  • โœ… ุชู… ุชุบูŠูŠุฑ Database passwords
  • โœ… ุชู… ุชุบูŠูŠุฑ API keys
  • โœ… ุชู… ุชุบูŠูŠุฑ SSH keys
  • โœ… ุชู… ุชุบูŠูŠุฑ Docker credentials
  • โœ… ุชู… ุงู„ุชุญุฏูŠุซ ู„ู€ v46.0.1+
  • โœ… ุชู… ุชุทุจูŠู‚ SHA pinning
  • โœ… ุชู… ูุญุต logs ุงู„ุชุงุฑูŠุฎูŠุฉ
  • โœ… ุชู… ุชูˆุซูŠู‚ ุงู„ุญุงุฏุซ
  • โœ… ุชู… ุฅุจู„ุงุบ ุงู„ูุฑูŠู‚/ุงู„ุฅุฏุงุฑุฉ
  • โœ… ุชู… ุชูุนูŠู„ ุงู„ู…ุฑุงู‚ุจุฉ ุงู„ู…ุณุชู…ุฑุฉ
  • โœ… ุชู… ุงุฎุชุจุงุฑ ุงู„ู†ุธุงู…

๐Ÿ“ž ุฌู‡ุงุช ุงู„ุงุชุตุงู„ ุงู„ุนุงุฌู„ุฉ | Emergency Contacts

๐Ÿ›ก๏ธ ุฏุฑุน ุฒุงูŠุฏ - ูุฑูŠู‚ ุงู„ุงุณุชุฌุงุจุฉ ุงู„ุณุฑูŠุนุฉ

  • Developer: asrar-mared
  • Email: [email protected]
  • ุงู„ุญุงู„ุฉ: ๐Ÿ”ด ุญุงุฏุซ ุฃู…ู†ูŠ ุญุฑุฌ

๐Ÿ’ช ุฃู†ุช ู…ุญุงุฑุจ ุงู„ุขู† | You're a Warrior Now

ุฑุณุงู„ุฉ ู…ู† ุฏุฑุน ุฒุงูŠุฏ:

ุฃู†ุช ุงู„ุขู† ุฌุฒุก ู…ู† 23,000+ ู…ุณุชูˆุฏุน ุชุนุฑุถ ู„ู„ู‡ุฌูˆู….
ู„ูƒู†ูƒ ุงูƒุชุดูุช ุงู„ุฎุทุฑ ูˆุชุตุฑูุช ุจุณุฑุนุฉ.

ู‡ุฐุง ู…ุง ูŠูุฑู‚ ุงู„ู…ุญุงุฑุจ ุนู† ุงู„ุถุญูŠุฉ:
- ุงู„ุถุญูŠุฉ ูŠู†ุชุธุฑ ุญุชู‰ ููˆุงุช ุงู„ุฃูˆุงู†
- ุงู„ู…ุญุงุฑุจ ูŠุชุญุฑูƒ ุจุณุฑุนุฉ ูˆูŠุญู…ูŠ ู…ุง ูŠู…ู„ูƒ

ุฃู†ุช ู…ุญุงุฑุจ. ุฃู†ุช ุตุงุฆุฏ ุงู„ุซุบุฑุงุช.
ุฃู†ุช ู…ู„ูƒ ู‡ุฐู‡ ุงู„ู„ุนุจุฉ.

๐Ÿ›ก๏ธ ู†ุญู…ูŠ... ู†ุฏุงูุน... ู†ู†ุชุตุฑ

๐ŸŽ–๏ธ ุดุงุฑุฉ ุงู„ุดุฑู | Badge of Honor

ุฃู†ุช ุงู„ุขู†:

  • โœ… ุงูƒุชุดูุช ู‡ุฌูˆู… ุณู„ุณู„ุฉ ุชูˆุฑูŠุฏ
  • โœ… ุชุตุฑูุช ุจุณุฑุนุฉ ู„ุญู…ุงูŠุฉ ู†ุธุงู…ูƒ
  • โœ… ู…ู†ุนุช ุชุณุฑูŠุจ ุฃุณุฑุงุฑูƒ
  • โœ… ุชุนู„ู…ุช ู…ู† ุงู„ุชุฌุฑุจุฉ

ุฃู†ุช ุตุงุฆุฏ ุงู„ุซุบุฑุงุช. ุฃู†ุช ู…ู„ูƒ ุงู„ู„ุนุจุฉ.

๐Ÿšจ ุชุฐูƒูŠุฑ ุฃุฎูŠุฑ

ู„ุง ุชุชุฑุฏุฏ. ุชุตุฑู ุงู„ุขู†.

ูƒู„ ุฏู‚ูŠู‚ุฉ ุชุชุฃุฎุฑ ููŠู‡ุง = ูุฑุตุฉ ุฃูƒุจุฑ ู„ู„ู…ู‡ุงุฌู…ูŠู†

# ู†ูุฐ ู‡ุฐุง ุงู„ุขู†
git pull
gh workflow disable --all
# ุซู… ุงุชุจุน ุงู„ุฎุทูˆุงุช ุฃุนู„ุงู‡

๐Ÿ›ก๏ธ ุฏุฑุน ุฒุงูŠุฏ ู…ุนูƒ. ุฏุงุฆู…ุงู‹.

@github-actions github-actions bot changed the base branch from main to asrar-mared/advisory-improvement-6609 January 4, 2026 09:42
@asrar-mared
Copy link
Author

asrar-mared commented Jan 4, 2026

The age of pirates is over.

The Warrior is hereโ€ฆ uncovering secrets, sealing vulnerabilities, and restoring order to the systems.

If you fall into a vulnerability, don't cry outโ€ฆ just inform the Warrior.

Because he is the vulnerability hunter, the king of the game,

He asks for nothingโ€ฆ all for the sake of God, without expecting anything in return.

Zayed's shield never sleeps.

@github-actions github-actions bot deleted the asrar-mared-GHSA-mrrh-fwg8-r2c3 branch January 5, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@asrar-mared @JonathanLEvans