Heads-up from ASF Infra. .github/workflows/auto-comment.yml uses actions-cool/issues-helper@v3:
- name: Create comment
uses: actions-cool/issues-helper@v3
What happened. On 2026-05-18, an attacker moved every tag of actions-cool/issues-helper (and actions-cool/maintain-one-comment) to an imposter commit that reads runner memory to harvest CI/CD secrets and exfiltrates them (StepSecurity advisory). GitHub TOS-blocked the repo on 2026-05-19, so @v3 no longer resolves -- this step now fails to fetch the action.
Good news -- no exposure here. I checked this workflow's run history: it had no runs during the ~5-hour window the action was malicious (2026-05-18 19:10 -> 2026-05-19 00:33 UTC), so no secrets were exposed and no rotation is needed on that evidence.
Action needed. The step is now dead and should be removed or replaced. A safe drop-in is actions/github-script (in the always-allowed actions/* namespace, so no ASF allow-list change needed) -- it can post the same welcome comment via the REST API.
Happy to send a PR if useful. This action was also removed from the ASF org-wide allow list in apache/infrastructure-actions#1035.
Heads-up from ASF Infra.
.github/workflows/auto-comment.ymlusesactions-cool/issues-helper@v3:What happened. On 2026-05-18, an attacker moved every tag of
actions-cool/issues-helper(andactions-cool/maintain-one-comment) to an imposter commit that reads runner memory to harvest CI/CD secrets and exfiltrates them (StepSecurity advisory). GitHub TOS-blocked the repo on 2026-05-19, so@v3no longer resolves -- this step now fails to fetch the action.Good news -- no exposure here. I checked this workflow's run history: it had no runs during the ~5-hour window the action was malicious (2026-05-18 19:10 -> 2026-05-19 00:33 UTC), so no secrets were exposed and no rotation is needed on that evidence.
Action needed. The step is now dead and should be removed or replaced. A safe drop-in is
actions/github-script(in the always-allowedactions/*namespace, so no ASF allow-list change needed) -- it can post the same welcome comment via the REST API.Happy to send a PR if useful. This action was also removed from the ASF org-wide allow list in apache/infrastructure-actions#1035.