reviewdog GitHub Actions are compromised

A supply chain attack compromised reviewdog/action-setup@v1 on GitHub Actions between March 11–17, 2025. The malicious commit injected a Python payload that reads the Runner.Worker process memory to extract CI/CD secrets and print them in workflow logs. Several dependent reviewdog actions (action-shellcheck, action-staticcheck, action-ast-grep, action-typos, action-composite-template) are also affected. The attack vector was likely a compromised contributor account, enabled by an automated invitation workflow that granted write access to 118 contributors. Maintainers have since disabled the auto-invite workflow, revoked broad write access, pinned actions to commit SHAs, and rotated tokens. Recommended mitigations include stopping use of affected actions, reviewing workflow logs for leaked secrets, rotating any exposed credentials, and pinning all GitHub Actions to full commit SHAs.