Из ленты dev.to devops — кратко, чтобы не потерять.
GitHub Actions is the most-targeted CI/CD platform in the world right now. Not because it’s insecure by design because billions of automated workflows run on it daily, most with misconfigured permissions, mutable dependencies, and zero security review. In 2026 alone: the Megalodon campaign poisoned thousands of repos in six hours. The TanStack cache poisoning attack published malicious packages with valid, signed provenance. The tj-actions/changed-files compromise exfiltrated secrets from thousands of repos in a single day. All of them used GitHub Actions misconfigurations as the entry point. The 7 misconfigurations covered: Overly Permissive GITHUB_TOKEN — write-all is still the default for repos created before Feb 2023 pull_request_target with untrusted code — the pattern behind the high
Полный текст и контекст у первоисточника: https://dev.to/dev_encyclopedia/github-actions-security-7-misconfigurations-to-avoid-3h35