The root cause is workflows that grant trust to untrusted inputs: pull_request_target that checks out and executes fork code with repo secrets, ${{ }} expressions that interpolate branch names/filenames into shell commands unsanitized, and issue_comment triggers with no author_association check.
These attacks only work when maintainers opt into dangerous patterns without guardrails.
These attacks only work when maintainers opt into dangerous patterns without guardrails.