Gotta say, I love all the random fox pics. Great writeup too, I believe similar hacks have been used to install/run coinminers on other Github Actions piplines (at the cost of the repo owner!), which is why that had to be heavily limited.
Build Pipeline Security feat XSS Fox
Posted on 2021-10-09: https://sprocketfox.io/xssfox/2021/02/18/pipeline/