Bypass idea 1: exfiltrate data to known hosts. For example, "github.com" is likely whitelisted - so post stolen credentials as an issue comment in a little-known repository? Or maybe push the stolen data to some repo?<p>Bypass idea 2: before exfiltrating data, stop (or somehow mess with) the agent. After all, both github actions and user code have the same permissions on the runner.