From edaa142deeafa2604682ae2e9c33a9567eaba492 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Sun, 14 Jan 2024 18:16:45 -0500
Subject: [PATCH] README: doc

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 1698818..38e44e4 100644
--- a/README.md
+++ b/README.md
@@ -67,3 +67,9 @@ Run woodruffw-experiments/gha-trickery@good-branch
 Run echo "nothing to see here"
 nothing to see here
 ```
+
+So, there's a limited confusion vector here:
+
+1. A workflow has `uses: foo/bar@good`, which is normally a reference to a "safe" tag (in the tags namespace)
+1. A disgruntled maintainer pushes a malicious branch named `good`, **without** deleting the original `good` tag
+1. The original workflow now uses the malicious branch