resend-cli

The workflow is intended to send a deployment notification via the Resend service and is functionally legitimate. However, it exhibits a moderate supply-chain security risk due to immediate execution of an unpinned remote installer (curl | bash) and the use of a secret that the installer or CLI can access. Mitigations: replace the piped installer with a pinned, checksummed release or an official, audited GitHub Action; restrict RESEND_API_KEY scope and rotate it regularly; avoid hard-coded recipients or document their intent; and restrict who can trigger the workflow if sensitive secrets are available in the environment. Absent inspection of the remote installer or CLI, the YAML alone does not prove malicious behavior.