Software supply chain attacks have become a significant threat to modern software systems. By exploiting the complex and transitive nature of dependencies, malicious actors have been able to perform significant attacks, also taking advantage of the dynamic relationship between software components and their dependencies. In Continuous Integration and Continuous Deployment (CI/CD) ecosystems such as GitHub Actions, developers assemble workflows out of reusable Actions. However, these Actions–in particular JavaScript ones–come with an intricate network of dependencies. As they evolve, these dependency networks expose GitHub CI/CD pipelines to subtle vulnerabilities that may be introduced without any modification of the workflows themselves. This paper investigates such phenomenon, which we call “rug pull” within GitHub workflows. Through formalization and an empirical analysis of real-world workflows, we characterize the propagation and persistence of such vulnerabilities as well as their remediation. Our findings highlight architectural considerations needed when designing secure yet maintainable CI/CD pipelines, emphasizing the need for careful dependency management and coordinated responsibility across the software supply chain.