The security incident report says: "An attacker exploited a script-injection vulnerability in one of our GitHub Actions workflows to publish it."
Is the script-injection vuln only present due to how the developers configured GitHub Actions or is this something that also needs to be mitigated by GitHub?
Forgive me if this is a stupid question - I have a very shallow understanding of and limited hands-on experience with GitHub.
