CVE-2025-30066 Advisory Briefing (GitHub Actions Supply Chain)¶
CVE-2025-30066 is a supply-chain incident involving a compromised GitHub Action that can expose secrets in CI logs.
At a Glance¶
| Item | Detail |
|---|---|
| Briefing type | Security briefing |
| Primary audience | Platform security and SRE |
| Action urgency | Triage immediately |
Advisory Summary¶
The compromised tj-actions/changed-files workflow dependency risked leaking sensitive values to workflow output. For Kubernetes teams, this can expose cloud credentials, registry tokens, and GitOps secrets used to deploy or manage clusters.
Affected Components and Versions¶
- Component: GitHub Actions workflows using vulnerable
tj-actions/changed-filesreferences - CVE: CVE-2025-30066
- Risk surface: repositories with secrets available to affected workflows
Why It Matters¶
Kubernetes platform security depends heavily on CI/CD integrity. A workflow compromise can become a cluster compromise when leaked credentials grant access to deployment pipelines, artifact registries, or IaC backends.
What to Do¶
- Locate all repositories referencing the affected action and identify compromised runs.
- Rotate any secret exposed to those workflows, including cloud and cluster deployment credentials.
- Pin all third-party GitHub Actions to immutable commit SHAs.
- Prefer short-lived federated credentials over long-lived static secrets.
- Add automated policy checks to block unpinned action references.
Source Links¶
Related Pages¶
- Parent index: Security updates
- Related: IngressNightmare advisory briefing
- Related: Kubernetes v1.34 upgrade briefing
- Newsletter: This Week in Kubernetes
- Evergreen reference: Image scanning and signing