“GitHub Actions remains the most exploited supply chain component in modern CI/CD.”
Everyone runs untrusted YAML against secrets in a shared environment and acts surprised when it gets compromised. The fix is not better Actions, it is treating CI as production and treating every action you pin as a dependency you audit. Most teams will keep doing neither.