The vulnerability in GitHub Actions lies in its handling of forked repositories, which allows attackers to exploit the `pull_request_target` event to gain access to the base repository's context and secrets. This can lead to a "Pwn Request" scenario where an attacker can compromise the GITHUB_TOKEN and leak secrets. Additionally, workflows triggered by `workflow_run` events can also be vulnerable if they checkout code from forked repositories or use insecure artifacts. To secure GitHub Actions workflows, developers should avoid running privileged workflows on untrusted code, validate the triggering repository and user, run the workflow only after manual validation, check that the triggering repository matches the base repository, treat actions as 3rd-party dependencies, handle untrusted artifacts securely, restrict the code that runs on self-hosted runners, and adhere to the least privilege principle. A community tool, GitHub Actions Scanner, has been created to help identify potential issues in workflows and actions.