"DevOps security is hard" in part, becuase the way many GitHUb organizaitons are chaoticly structured, says Adnan Khan in his talk "Securing the Pipeline: Protecting Self-Hosted GitHub Runners" at #BsidesSF

While about GH, this could be applied to any CI/CD.