This has been a big security/UX issue with github for a while. It extends to the web interface: you can link to a specific commit under an official github repo but the contents of the README on the page will be from a malicious fork, which makes it way easier to make links look legitimate.

TFA writes: "Late last year NPM was basically a skip fire" — is this an idiom I should know? (Something like a misfire?) Or a typo for "ship fire"? Or something else?

GitHub needs to support 'Immutable Release' on GitHub Actions, as soon as possible. Other methods are just workaround and easy to break just like example on the post.

Wow. I did not know this. I'll bring it up in my organization.