I think usually people like to blame GitHub Action's design, but this repository here seems to have not done the bare minimum in securing itself and more focused on producing a "state-of-the-art (SOTA)" "YOLO" model instead.

There are just a lot of things wrong with just format.yml itself. It honestly seems kind of weird that it needs commit access to push a new commit under the PR author's name/email just to format their code. I personally would find this kind of rude if I'm the PR author as I sign all my Git commits and a bot masquerading as me in submitting a Git commit is not appreciated even for something like code formatting. And of course the author of format.yml didn't seem to know the different between `pull_request` and `pull_request_target` and just threw both in.

I also think these days people go way overboard in CI/CD because things that are automated are obviously better right? I personally do not like any CI pipeline that has the capability to directly commit to the main Git branch without review/signoff (which [this commit](https://github.com/ultralytics/ultralytics/commit/cb260c243f...) did which removed the author check). Things like deploying to PyPI should be more than just a single commit and involves a human. Yes, it introduces a piece of friction to the process, but if you are maintaining a big piece of open source software, a release you made is going to be deployed to lots of people's computers so a little bit of annoyance on the maintainer's side is a small price to pay to make sure you get everything right.

I guess I'm weird. I maintain an OSS macOS app and I see other similar apps just upload their private signing keys to GitHub and just let the CI sign everything for them but I still sign my releases offline and never upload my keys to a public service.

What I'm saying is I don't think we want CI to do everything for us, especially for powerful actions (e.g. making a release) that do not need human approval, and if you do, you should think really hard about whether that's something desired and whether you want to spend the extra mental energy to think about all the security ramifications etc which might just offset the little bits of time you saved.