GitHub doesn't really seem to prioritise security. I just reported a nasty way to smuggle code[0] into Actions pipelines to them and got a classic "expected behaviour WONTFIX” response. It's exactly the kind of sneaky behaviour that the Jia Tans out there would use in an attack.

[0] (see end of) https://cedwards.xyz/github-actions-are-an-impending-securit...