[SECURITY] TODO: inspect in-repo secrets and rotate them

I just learned that `tj-actions/changed-files` was compromised and a bunch of tags (v1 through v45.0.7) were pointing to a malicious commit around on Mar 14-15, 2025.

The current CI state points to v34: https://github.com/pypa/setuptools/blob/7fc347155ce6727bc4ebd988d3e0a91d7ba1fc0a/.github/workflows/main.yml#L244. This effectively means that there's a chance that some secrets leaked back in March.

Details:
* https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
* https://github.com/tj-actions/changed-files/issues/2463
* https://news.ycombinator.com/item?id=43372246
* CVE-2025-30066

@abravalheri @jaraco could you confirm which secrets exist in the repo and might need rotating?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[SECURITY] TODO: inspect in-repo secrets and rotate them #5040

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

[SECURITY] TODO: inspect in-repo secrets and rotate them #5040

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions