Comment by 0xbadcafebee

> This allowed the threat actor to perform authenticated operations, including force-updating tags

Hey look, infrastructure underpinning the security of thousands of products, being compromised in a way a simple setting could have prevented (Do not allow overriding tags is an old GH setting). Yet another reason we need a Software Building Code. I wonder how many more of these reasons we'll find in 2026.