Six supply chain incidents from Nov 2024 to April 2026 trace back to five recurring GitHub Actions design flaws, none of them classified as bugs.
Key Takeaways
pull_request_target trigger runs with full write tokens against untrusted fork code; root cause in spotbugs, Ultralytics, nx, Trivy, and the prt-scan campaign.
Mutable git tags as action versions let attackers hijack 23,000 downstream repos (tj-actions) by force-pushing a tag to a dangling, unreviewed object in the shared fork pool.
${{ }} template expansion into shell before execution enables injection; the nx incident reached 5,000+ private repos through exfiltrated AI coding assistant credentials.
OIDC trusted publishing on PyPI, npm, RubyGems, and crates.io concentrates registry integrity on GitHub Actions workflows, making workflow YAML the primary attack surface for package compromise.
GitHub’s security roadmap (workflow lockfile, scoped secrets, egress firewall) is entirely opt-in and months out; 91% of PyPI packages using third-party actions still pin by mutable tag.
