Comment by varunsharma07

The root cause is workflows that grant trust to untrusted inputs: pull_request_target that checks out and executes fork code with repo secrets, ${{ }} expressions that interpolate branch names/filenames into shell commands unsanitized, and issue_comment triggers with no author_association check.

These attacks only work when maintainers opt into dangerous patterns without guardrails.