Skip to content

CI: replace compromised actions-cool/issues-helper in auto-comment workflow #5455

Description

@potiuk

Heads-up from ASF Infra. .github/workflows/auto-comment.yml uses actions-cool/issues-helper@v3:

      - name: Create comment
        uses: actions-cool/issues-helper@v3

What happened. On 2026-05-18, an attacker moved every tag of actions-cool/issues-helper (and actions-cool/maintain-one-comment) to an imposter commit that reads runner memory to harvest CI/CD secrets and exfiltrates them (StepSecurity advisory). GitHub TOS-blocked the repo on 2026-05-19, so @v3 no longer resolves -- this step now fails to fetch the action.

Good news -- no exposure here. I checked this workflow's run history: it had no runs during the ~5-hour window the action was malicious (2026-05-18 19:10 -> 2026-05-19 00:33 UTC), so no secrets were exposed and no rotation is needed on that evidence.

Action needed. The step is now dead and should be removed or replaced. A safe drop-in is actions/github-script (in the always-allowed actions/* namespace, so no ASF allow-list change needed) -- it can post the same welcome comment via the REST API.

Happy to send a PR if useful. This action was also removed from the ASF org-wide allow list in apache/infrastructure-actions#1035.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions