We are aware of the recent security incident¹ involving the tj-actions/changed-files GitHub Action, which affected over 23,000 repositories. This action contained malicious code that could expose CI/CD secrets by printing them in build logs.

We are pleased to report that our repositories were not impacted. We achieve this by strictly pinning all GitHub Actions to specific commit hashes. This practice ensures our workflows run only the intended code, protecting against unauthorized changes.

For transparency, we maintain an OpenSSF Scorecard² that shows our commitment to security best practices. We will continue to monitor and adapt our practices to keep our community safe.