Many projects have CI setups that run code (Makefile can run any code, for example). Which means, an untrusted third-party contribution would allow that party to run arbitrary code on CI platform. Yes, the solution is to not let untrusted third-party code to be run without manual review.