> But this commit doesn't even have to belong to the preceding repository. You can reference a commit on a fork. Great way to sneak in an xz-utils style backdoor into critical CI workflows.

Wow. Does the SHA need to belong to a fork of the repo? Or is GitHub just exposing all (public?) repo commits as a giant content-addressable store?