If an action was originally at org1/name1 but was transferred to org2/name2, git operations using org1/name1 (including fetching actions) continue to work, silently redirected to org2/name2.
This is true right up until org1/name1 is created again, at which time the redirect is removed.
This allows a (potentially new!) org1 to upload whatever they like and replace the action. It doesn't matter if you trusted org1 "back then" and trust org2 now, new-org1 gets to determine what is in your action.
Because transitive dependency graphs are so sprawling, you might just be vulnerable to this.
Using actions "@hex-ref" may help with this somewhat but it's not a magic bullet and has its own downsides.
Yet another reason to write dumb github actions (e.g., that avoid doing anything more sophisticated than run shell commands), imo.
If an action was originally at org1/name1 but was transferred to org2/name2, git operations using org1/name1 (including fetching actions) continue to work, silently redirected to org2/name2.
This is true right up until org1/name1 is created again, at which time the redirect is removed.
This allows a (potentially new!) org1 to upload whatever they like and replace the action. It doesn't matter if you trusted org1 "back then" and trust org2 now, new-org1 gets to determine what is in your action.
Because transitive dependency graphs are so sprawling, you might just be vulnerable to this.
Using actions "@hex-ref" may help with this somewhat but it's not a magic bullet and has its own downsides.
Yet another reason to write dumb github actions (e.g., that avoid doing anything more sophisticated than run shell commands), imo.