[DEEP RESEARCH] TeamPCP’s CI/CD Trust Inversion: When “Pinned” Actions Become Initial Access
![[DEEP RESEARCH] TeamPCP’s CI/CD Trust Inversion: When “Pinned” Actions Become Initial Access](https://images.squarespace-cdn.com/content/v1/54bd1221e4b05e8a3646d021/1775499012521-EBF40WMRFI2I4TYUFGMW/z.png)
A lot of orgs “secured” GitHub Actions by pinning to tags, which is a fun strategy if you enjoy finding out your trusted scanner now has initial access. CI trust is getting weird in ways most runbooks still don’t cover.