The GitHub finally fixed one serious vulnerability reported by the team security of Google, Project Zero. The researchers updated GitHub three months ago.
Google had said it was a very serious vulnerability, but GitHub did not immediately respond as it claimed it was a "moderate security vulnerability".
The Google Project Zero team usually discloses the errors which it finds, 90 days after their report to the competent. The 90-day period has passed and GitHub has not yet fixed the vulnerability. The researchers Google gave him another 14 days but again nothing happened. So they decided to reveal the vulnerability (in early November).
A day before the scheduled revelation (after an extension), GitHub told Google it would not disable Actions' vulnerable workflow commands until November 2 and requested an additional 48 hours. However, these extra hours would be for inform them customers for a future resolution of the issue and not for the correction of the vulnerability.
The Google research team decided to reveal the vulnerability and not give more time, after 104 days had already passed since the initial report on GitHub.
GitHub finally fixed the vulnerability last week, disabling the old Actions runner commands, "set-env" and "add-path", as suggested by the researcher Wilhelm.
The correction was released on 16 November, ie two weeks after its revelation vulnerability from Google.
Now that GitHub has disabled the two vulnerable commands, Wilhelm has updated his report and confirmed that the issue has been resolved.