dotenvx

The main issue is supply-chain execution: the workflow installs dotenvx by executing a remote script via `curl ... | sh` without integrity verification or pinning. It then runs tests with `DOTENV_PRIVATE_KEY` available to the process environment, amplifying the impact if the installed tooling or the CI execution context is malicious or compromised. No direct malicious payload is visible in the snippet, but the pattern is high-risk and should be mitigated by using pinned, verified artifacts (checksum/signature), avoiding curl|sh, and minimizing secret exposure during build/test.