GitHub actions code injection attack via malicious crafted branch name. Interesting! The Pull Request wasn't even merged but must have done something when GitHub Actions ran on the request. Be careful with your automated testing systems running on untrusted user code!