my tldr:<p>If an action was originally at org1/name1 but was transferred to org2/name2, git operations using org1/name1 (including fetching actions) continue to work, silently redirected to org2/name2.<p>This is true right up until org1/name1 is created again, at which time the redirect is removed.<p>This allows a (potentially new!) org1 to upload whatever they like and replace the action. It doesn't matter if you trusted org1 "back then" and trust org2 now, new-org1 gets to determine what is in your action.<p>Because transitive dependency graphs are so sprawling, you might just be vulnerable to this.<p>Using actions "@hex-ref" may help with this somewhat but it's not a magic bullet and has its own downsides.<p>Yet another reason to write dumb github actions (e.g., that avoid doing anything more sophisticated than run shell commands), imo.