There is nothing weird with that; the origins of that workflows are on-site CI/CD tools where that is not a problem as both inputs and scripts are controlled by the org, and in that context
> But GitHub Actions instead has this weird concept of "default-branch originated" events (like pull_request_target and issue_comment) that are significantly more privileged than they should be.
That is just very convenient when setting up the workflow
They just didn't gave a shred of thought about how something open to public should look
> There is nothing weird with that; the origins of that workflows are on-site CI/CD tools
Well, it is pretty weird if you end up using it on a cloud based open platform where anyone can do anything. The history is not an argument for it not being weird, it is an argument against the judgement of whomever at Microsoft thought it'd be a good idea. I'm sure that person is now long gone in early retirement. It'd been great if developers weren't so hypnotized by the early brand of GitHub to see GitHub Actions for what it is, or namely, what it isn't.
> But GitHub Actions instead has this weird concept of "default-branch originated" events (like pull_request_target and issue_comment) that are significantly more privileged than they should be.
That is just very convenient when setting up the workflow
They just didn't gave a shred of thought about how something open to public should look