DigiNews

Summary

GitHub Actions exposes several supply-chain risks in open source workflows, including pull_request_target usage, unpinned action versions, and cross-trust caches. The article traces multiple incidents from 2024–2026, explains why defaults are unsafe, and offers practical mitigations such as pinning SHAs, restricting token permissions, and using a workflow lockfile. It also notes GitHub's security roadmap but argues most protections remain opt-in and highlights steps maintainers can take today.