Compromising GitHub Repositories Through the Actions Dependency Tree
paloaltonetworks.commy tldr:
If an action was originally at org1/name1 but was transferred to org2/name2, git operations using org1/name1 (including fetching actions) continue to work, silently redirected to org2/name2.
This is true right up until org1/name1 is created again, at which time the redirect is removed.
This allows a (potentially new!) org1 to upload whatever they like and replace the action. It doesn't matter if you trusted org1 "back then" and trust org2 now, new-org1 gets to determine what is in your action.
Because transitive dependency graphs are so sprawling, you might just be vulnerable to this.
Using actions "@hex-ref" may help with this somewhat but it's not a magic bullet and has its own downsides.
Yet another reason to write dumb github actions (e.g., that avoid doing anything more sophisticated than run shell commands), imo.