Intro: Why we got burned twice by the same trick On 2025-03-14, the GitHub Action tj-actions/changed-files was hijacked. 23,000 repositories were affected. Base64-encoded AWS / GitHub / PyPI tokens were dumped into public CI logs. CVE-2025-30066. About a year later, on 2026-03-19, aquasecurity/trivy-action was hit by almost the same playbook. Of 76 version tags, 75 were rewritten to point at attacker-controlled commits. Every news headline says "supply chain attack". But if you put the two incidents side by side, the spot that got attacked is the same exact thing: the v44 portion of uses: org/action@v44 , i.e. the commit a git tag is currently pointing to. Did you ever quietly assume that a git tag is an immutable fingerprint? It is not. It is a label. You can force-push it. You can rewrite it. The fact that GitHub's UI says "v44" gives you no guarantee that this v44 points to the same commit it pointed to last week. This gap is the attack surface. And it is not just a tag issue.…