I think GitHub Actions is missing a distinction between builds and automation.

When I build my software I care less about eliminating security vulnerabilities (after all, I need to build while updating to fix security issues), but also don't need, or ideally don't want any external access. A vulnerability in the build toolchain should be encoded into the artifacts but shouldn't necessarily prevent artifacts being generated.

However when I automate processes, like categorising bugs etc, I care a lot about eliminating security vulnerabilities because there is necessary external access, often write access, to my sensitive data.

GitHub considers these two things the same, but they're distinct use-cases with distinct approaches to maintenance, updating, and security.