[Security] GitHub Actions

[Ry0taK]

Hello aevea team!
I'm a security researcher who is working on OSS security.

While doing a research related to supply chain attack, I noticed that some repositories are vulnerable to repository hijacking. (This issue has been mitigated by me and GitHub.)
Since the root cause of this issue hasn't been fixed, I'd like to let you know what you should do.

In README.md, there is an example that uses commitsar-app/release-notary to use this action.
However, as this repository has been renamed to aevea/release-notary, this example should be updated.
While it's working properly as there is a feature named Repository redirects, commitsar-app could be claimed by anyone, and allows repository hijacking once someone published new release. (I already claimed this username, so it can't be abused anymore.)
Since yay has been affected by this issue, I opened the issue on yay: Jguer/yay#1468
(For more context, I've written an article that describes this problem (It's written in Japanese): https://blog.ryotak.me/post/github-actions-supplychain/)

Best Regards,
RyotaK

[fallion]

@Ry0taK thanks for this find!

The README really needs updates. I will try to mitigate this today.

[fallion]

@Ry0taK this is now merged. I'll let you close it if all is ok :)

[Ry0taK]

@fallion I've confirmed that the outdated username has been removed from README.md, thank you so much for fixing it ;)