Open-source projects need a home with a coherent trust model for CI and release workflows. It's ridiculous that this kind of cache poisoning is even possible, and that it's the responsibility for each team to audit their configuration N different ways instead of Microsoft's responsibility to run a platform that works right. We have no hope of getting away from situations like this if everyone stays on GHA.