Thank you, unfortunately we have a multiple of repositories with multiple runs that use this action so checking the logs one by one will be hard. Any idea how to get all logs? Thank you

I think your best bet is to traverse all the pipeline logs that make use of the action using Github's REST API.

It should be easy to do with thr Github CLI tool and some bash scripting.

Not sure how easy it'll be to parse the logs to look for a base64 string but it shouldn't be that complicated either.

also the secrets will be published as double base 64 encoded, so it will just look like a string of random chars at the end of the changed-files action in the log.

If you are using the action and were as of 10p ET last night I would assume everything is compromised, remove the action, and rotate secrets.