Pleased this is being discussed somewhere as it’s something that has troubled me for a while.

There are so many third party actions where the docs or example reference the master branch. A quick malicious push and they can presumably exfiltrate data from a ton of repositories

(Even an explicit tag is vulnerable because it can just be moved still, but master branch feels like not even trying)