CVE-2021-32724

check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the check-spelling action enabled that triggers on pull_request_target (or schedule), an attacker can send a crafted Pull Request that causes a GITHUB_TOKEN to be exposed. With the GITHUB_TOKEN, it's possible to push commits to the repository bypassing standard approval processes. Commits to the repository could then steal any/all secrets available to the repository. As a workaround users may can either: Disable the workflow until you've fixed all branches or Set repository to Allow specific actions. check-spelling isn't a verified creator