> Legit Security said both Google and the Apache project maintainers were informed of the vulnerability and each has patched the problem in their repositories.
No they changed a security setting, no patch needed.
For those wondering if they are vulnerable, change your Actions permissions to "Require approval for all outside contributors" every time. It is a simple radio group.
While you're improving your GitHub Actions security check out StepSecurity, a simple way to secure your workflows.