GitHub is doing the bare minimum to provide security for their users, focusing on AI, migrating to Azure, and half-baked features has left their user base vulnerable.
GitHub is well behind other online VCS providers like GitLab which seems to be miles ahead of GitHub in regard of features, if you work in a place where you need thousands of repositories GitHub become an absolute pain to manage.
It's ridiculous how features that should have been there from the start are just not there in GitHub, this is particularly true with GitHub Actions and their "almost there" eternal promise for immutable actions.
It's been know for a while that if you want to deploy malware you just need to become a contributor in one of the dependencies in GitHub Actions and you will be able to take over the repository if it hasn't been secured, this has been the common attack vector for most of the latest "hacks", just pushing code to the repository, gets merged and everyone gets the payload into their system.
What's worse is that you can pin an action to a specific version, but if that actions depends on something like "node24" it will always use the latest version when resolving since there's a lack of lockfiles, so you can do mostly everything right and then there will be some hidden dependency in the tree that will cause an obscure project to bubble-up into your workflow.
As I'm writing this, GitHub added this blog post 2026 GitHub Security Roadmap, which is infuriating to look at, their timelines are on average ~5 months to implement most features that users have been asking for so long.