GitHub Actions is susceptible to TOCTOU vulnerabilities in a handful of places: workflow_dispatch and other "maintainer dispatch" events (like issue_comment) where a maintainer initiates an action based on the perceived state of a PR branch.

The basic vulnerability here is:

1. The attacker creates a PR/branch/other symbolic object with a certain (innocent-looking) state;
2. The maintainer performs their dispatched event, e.g. adding a label, leaving a comment, triggering a workflow_dispatch
3. The dispatched workflow uses the symbolic object's reference (PR number, branch name)
4. The attacker races the dispatched workflow so that the symbolic object points to something malicious instead (e.g. a new commit on the PR/branch that wasn't there at review time).

Adnan Khan has a clean example of this within Dependabot's CI/CD on his blog:

Here, the vulnerable workflow is triggered via workflow_dispatch and takes the PR number as an input, so the attacker can race to push new state onto the PR and end up controlling context/potentially executing code within a privileged trigger.

We should attempt to detect these within zizmor as well. Needs some further design thought as well.