The Tag That Lied: How a GitHub Action Turned Versioning Into a Credential Trap

A third-party GitHub Action was reportedly repointed through mutable tags, turning a routine workflow dependency into a path for code execution and CI/CD secret theft.