The GitHub Warning Everyone Ignores: 'This Commit Does Not Belong to Any Branch'

Many popular GitHub Actions follow a release pattern where the release commit is deleted from any branch after tagging, triggering GitHub's warning 'This commit does not belong to any branch.' This same pattern was exploited in real attacks like tj-actions and reviewdog, where attackers pointed tags to malicious commits in attacker-controlled forks to bypass code review. The post explains how to distinguish legitimate releases from compromised ones, and introduces StepSecurity's imposter commit detection and maintained action replacements as mitigations.