GitHub Actions is the weakest link
kept by eddie
GitHub Actions' default features—mutable tags, pull_request_target, template injection, and write-scoped tokens—have enabled a chain of supply-chain attacks on open-source registries, and GitHub's opt-in security roadmap won't fix the root causes.