pytorch_geometric is using a compromised tj-actions/changed-files GitHub action

pytorch_geometric uses a compromised version of tj-actions/changed-files. The compromised action appears to leak secrets the runner has in memory.

The action is included in:
  - https://github.com/pyg-team/pytorch_geometric/blob/d2bb939a1bfba3b7a6f7d7b102a2771471657319/.github/workflows/documentation.yml

Output of an affected runs:
  - https://github.com/pyg-team/pytorch_geometric/actions/runs/13864242315/job/38799668099#step:3:63

Please review.

Learn about the compromise on [StepSecurity](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) of [Semgrep](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

pytorch_geometric is using a compromised tj-actions/changed-files GitHub action #10119

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

pytorch_geometric is using a compromised tj-actions/changed-files GitHub action #10119

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions