We know that application dependencies have dependencies. It also happens that GitHub Action's repositories use Actions which use Actions. The nest of dependencies within our CI/CD is complex and largely unobserved. In this talk, we'll introduce techniques like repojacking and command injection and explore the depth of our dependencies alongside research into thousands of mainstream GitHub projects showing the potential upstream attack paths. All findings have been responsibly disclosed