Remove use of compromised action

ofek · ofek · commit 2687ea0a867d · 2025-03-15T12:03:07.000-04:00
diff --git a/.github/workflows/build-deps.yml b/.github/workflows/build-deps.yml
@@ -61,7 +61,7 @@ jobs:
       fail-fast: false
       matrix:
         job:
-        - os: arm-4core-linux
+        - os: ubuntu-22.04-arm
           image: linux-aarch64
         - os: ubuntu-22.04
           image: linux-x86_64
@@ -85,15 +85,37 @@ jobs:
 
     # On pull requests, ensure that changed files are determined before checking out the code so
     # that we use the GitHub API, otherwise we would have to fetch the entire history (depth: 0)
-    - name: Get changed files
+    - name: Check for builder changes (pull request)
+      id: changed-files-pr
+      if: github.event_name == 'pull_request'
+      env:
+        GH_TOKEN: "${{ github.token }}"
+      run: |
+        PR_NUMBER="${{ github.event.pull_request.number }}"
+        REPO="${{ github.repository }}"
+
+        BUILDERS_CHANGED=$(gh api --paginate "repos/$REPO/pulls/$PR_NUMBER/files" | \
+          jq -r 'map(.filename) | map(select(startswith(".builders/"))) | length > 0')
+
+        echo "builders_any_changed=$BUILDERS_CHANGED" >> $GITHUB_OUTPUT
+
+    # For push events, we still need to check changes but will rely on minimal checkout
+    - name: Check for builder changes (push)
+      id: changed-files-push
+      if: github.event_name != 'pull_request'
+      run: |
+        CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD)
+        echo "builders_any_changed=$(echo "$CHANGED_FILES" | grep -q "^\.builders/" && echo "true" || echo "false")" >> $GITHUB_OUTPUT
+
+    # Combine outputs for subsequent steps
+    - name: Combine changed files outputs
       id: changed-files
-      uses: tj-actions/changed-files@v42
-      with:
-        files_yaml: |-
-          builders:
-          - .builders/**
-          dependencies:
-          - ${{ env.DIRECT_DEPENDENCY_FILE }}
+      run: |
+        if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+          echo "builders_any_changed=${{ steps.changed-files-pr.outputs.builders_any_changed }}" >> $GITHUB_OUTPUT
+        else
+          echo "builders_any_changed=${{ steps.changed-files-push.outputs.builders_any_changed }}" >> $GITHUB_OUTPUT
+        fi
 
     - name: Checkout code
       if: github.event_name == 'pull_request'
