Context
The increasing adoption of continuous integration and continuous deployment (CI/CD) practices has transformed software development, with GitHub Actions playing a key role in automating workflows. Many projects rely on third-party GitHub Actions, which streamline deployment but also introduce security vulnerabilities due to outdated dependencies, excessive permissions, or lack of maintenance.
Despite the availability of security mechanisms such as Dependabot alerts and the GitHub Advisory Database, vulnerabilities often remain unpatched for long periods, leaving repositories exposed to supply chain attacks. Understanding how developers address, prioritize, or neglect these vulnerabilities is key to improving security practices in CI/CD environments.