April 28, 2026
CI? More like CSI
GitHub Actions is the weakest link
Open-source devs are panic-posting as GitHub’s handy tool becomes the villain
TLDR: The article says many recent software supply-chain hacks trace back to GitHub Actions workflows that were risky by design, not by accident. Commenters are split between smug “called it” veterans, people trashing YAML and GitHub’s reliability, and others openly planning their escape.
The article’s big accusation is brutal: a shocking number of recent software break-ins didn’t happen because hackers found some magical new trick — they happened because GitHub Actions, GitHub’s built-in automation tool, did exactly what it was designed to do. That’s the part sending commenters into full doom-scroll mode. The post links major incidents — from a crypto miner sneaking into downloads to stolen secrets spilling out of thousands of code projects — back to the same place: little workflow files quietly running powerful jobs with risky defaults.
And wow, the crowd is not in a forgiving mood. One camp is doing the classic “I told you so” victory lap. A commenter said they pinned actions to exact commit hashes years ago because trusting movable tags felt reckless, and now they feel grimly vindicated. Another took the flamethrower approach, calling GitHub Actions an “unserious product, used largely by unserious people,” which is the kind of line that starts fights before lunch. Meanwhile, others turned the whole thing into a roast of programming in YAML, basically asking why modern developers are still casting dangerous spells in glorified config files.
There’s also entrepreneurial chaos in the replies: people plugging alternatives, talking about escaping GitHub, and hinting that the real scandal is how normal this all became. The meme-y subtext? Your code pipeline is one weird comment away from becoming a crime scene.
Key Points
- •The article links several recent open-source supply-chain incidents to GitHub Actions workflows and documented platform behavior.
- •It argues that GitHub Actions functions like a package manager because `uses:` dependencies are re-resolved against mutable tags without lockfiles, integrity hashes, or transitive visibility.
- •The `pull_request_target` trigger is described as especially risky because it runs in the base repository context with secret access and a write-scoped token.
- •The article says the November 2024 spotbugs incident allowed theft of a maintainer PAT, which later contributed to the reviewdog and tj-actions compromise chain.
- •It describes Ultralytics as a cache-poisoning case and says the March 2025 tj-actions incident drew a CISA advisory and reportedly targeted Coinbase.