At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.
From the GitHub Actions Hardening Guide:
It is possible for an attacker to steal a job's GITHUB_TOKEN. Once expired, the token is no longer useful to an attacker. To work around this limitation, they can automate the attack and perform it in fractions of a second by calling an attacker-controlled server with the token.
The attacker server can use the GitHub API to modify repository content, including releases, if the assigned permissions of GITHUB_TOKEN are not restricted.
Here is an examples of a past incidents where the GITHUB_TOKEN was compromised and used to
In December 2020, ryotkak reported as part of the Bug Bounty program how he exfiltrated the GITHUB_TOKEN from a GitHub Actions workflow.
This is the pull request that was merged into a release branch using the compromised GITHUB_TOKEN microsoft/vscode#113596