Yes, this has been an issue for so long and GitHub just doesn't care enough to fix it.

There's another way it can be exploited. It's very common to pin Actions in workflows these days by their commit hash like this:

  - uses: actions/checkout@378343a27a77b2cfc354f4e84b1b4b29b34f08c2

But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows.

GitHub just doesn't care about security. Actions is a security disaster and has been for over a decade. They would rather spend years migrating to Azure for no reason and have multiple outages a week than do anything anybody cares about.

Yeah the way Github connects forks behind the scenes has created so many gotchas like this, I'm sure it's a nightmare to fix at this point but they definitely hold some responsibility here.

I think calling prompt injection 'simple' is optimistic and slightly naive.

The tricky part about prompt injection is that when you concatenate attacker-controlled text into an instruction or system slot, the model will often treat that text as authority, so a title containing 'ignore previous instructions' or a directive-looking code block can flip behavior without any other bug.

Practical mitigations are to never paste raw titles into instruction contexts, treat them as opaque fields validated by a strict JSON schema using a validator like AJV, strip or escape lines that match command patterns, force structured outputs with function-calling or an output parser, and gate any real actions behind a separate auditable step, which costs flexibility but closes most of these attack paths.