I was looking at CI options for GitHub and the actions available for scp'ing a file:

https://github.com/marketplace?type=actions&query=scp

This is Russian roulette. I tried auditing three of these options and either they use some shifty copy of openssh or I just can't trust all of their indirection layers. How do people trust these things?!