What’s more, GitHub has basically stopped maintaining their own actions, pushing people to sketchy forks to do basic things. Their entire ecosystem is basically held up with duct tape and gets very little investment.

Pleased this is being discussed somewhere as it’s something that has troubled me for a while.

There are so many third party actions where the docs or example reference the master branch. A quick malicious push and they can presumably exfiltrate data from a ton of repositories

(Even an explicit tag is vulnerable because it can just be moved still, but master branch feels like not even trying)