zizmor (https://github.com/zizmorcore/zizmor) and actionlint (runs shellcheck on run: | blocks) provide some bandaid. zizmor detects quite a few typical injection patterns like branch names and shellcheck enforces quoeting rules in the shell snippets