adding poc workflows for defending against GHSL-2023-271

.github/workflows/changed-files-vulnerability-with-hr.yml

@@ -0,0 +1,38 @@
+# Vulnerability details at https://securitylab.github.com/advisories/GHSL-2023-271_changed-files/
+name: "Changed-Files Vulnerability: With Harden-Runner"
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  pull-requests: read
+
+jobs:
+  changed_files:
+    runs-on: ubuntu-latest
+    name: Test changed-files
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Example 1
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v40
+
+      - name: List all changed files
+        run: |
+          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
+            echo "$file was changed"
+          done

.github/workflows/changed-files-vulnerability-without-hr.yml

@@ -0,0 +1,30 @@
+# Vulnerability details at https://securitylab.github.com/advisories/GHSL-2023-271_changed-files/
+name: "Changed-Files Vulnerability: Without Harden-Runner"
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  pull-requests: read
+
+jobs:
+  changed_files:
+    runs-on: ubuntu-latest
+    name: Test changed-files
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Example 1
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v40
+
+      - name: List all changed files
+        run: |
+          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
+            echo "$file was changed"
+          done