erikng
commented
3 months ago so it turns out this may not be an issue
https://github.com/orgs/community/discussions/26374
and it's not even possible to fix when using the cron option. We just need to be careful if we ever add other github actions.
The current github action has no safety when running on branches or PRs. I rogue PR may be able to abuse this action and steal our credentials.