Over the past three years, researchers have highlighted the risks associated with GitHub Actions. These threats became manifest with two recent incidents. First, last December brought a supply chain attack where attackers exploited a vulnerable GitHub Actions workflow to introduce an XMRig cryptominer to deployment versions of the Ultralytics Python package. Then, in March, we had the “tj-actions" incident. The attacker in this incident took advantage of multiple common anti-patterns associated ...