Defense Evasion > Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows

GitHub Actions, even when pinned to a commit SHA, can still pull in malicious code via mutable dependencies like Docker images, unlocked packages, or external scripts.