Security & supply chainGitHub Actions hands fork triggers a read-only cache token
GitHub Actions now issues read-only cache tokens to workflow events fired from outside a repository's collaborator set, applying least privilege to the default-branch cache so untrusted triggers cannot poison entries the next push reuses.