dotnet-gha-publish

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The workflow references external GitHub Actions that are fetched and executed at runtime (for example, uses: actions/setup-dotnet@v4 -> https://github.com/actions/setup-dotnet and uses: docker/build-push-action@v6 -> https://github.com/docker/build-push-action), so these URLs deliver remote code the workflow relies on and which runs in the runner.