Nothing.
However, exfiltrating a token is much more easy than modifying the workflow itself. A token is usually simply stored in an env variable.
Nothing.
However, exfiltrating a token is much more easy than modifying the workflow itself. A token is usually simply stored in an env variable.
In general, yes, it is easier to exfiltrate the token because if you can control some of the code that runs with the token available as an env var, you can do whatever.
In the specific case of the attack described in the blog post, though, the attackers added an extra GitHub Actions workflow that sent the token to an external server. That means they had enough privileges to change GHA workflows, and could just as easily change a workflow that used Trusted Publishing.
(It may be possible to configure branch protections or rules limiting who/when can trigger the Trusted Publishing workflow, but it's about as difficult as limiting the secret tokens to only be available to some maintainers.)