Over recent months, more than 75 GitHub Actions workflows were secured in open-source projects, revealing over 90 vulnerabilities, leading to enhanced support for workflows in CodeQL. This effort addresses the growing number of insecure workflows, attributed to a lack of awareness about their intricate parts and the implications of such vulnerabilities. The new CodeQL packs for GitHub Actions include advanced features like taint tracking, bash support, and actions as a first-class language, empowering users to detect and remediate vulnerabilities through free code scanning and GitHub Copilot Autofix for OSS repositories. Previously limited CodeQL queries for identifying vulnerabilities have been expanded to include 18 new queries, improving the detection of complex vulnerabilities such as code injection, environment variable injection, and artifact poisoning, among others. The initiative has already identified and reported vulnerabilities in numerous critical repositories, highlighting common patterns that lead to vulnerabilities, such as the misuse of pull_request_target triggers and the workflow_run event's risks, providing mitigations like repository checks and workflow splitting. Additionally, the issue_comment trigger poses security concerns, with recommendations to shift to label gates and avoid ineffective mitigations like actor and date checks. The new CodeQL support for GitHub Actions is in public preview, offering a robust tool for preventing supply chain attacks in open-source software.