This rule identifies attempts to create or modify GitHub Actions workflow files in a protected branch that are blocked due to insufficient permissions. This behavior is often a sign of a supply chain attack, where a malicious entity attempts to inject malicious workflows into a repository through the CI/CD pipeline. The rule captures events when GitHub's security controls prevent these unauthorized modifications. It provides a framework for investigation, allowing analysts to examine related repository activities and dependencies for malicious actions. Steps include reviewing who triggered the action, checking for suspicious activity in workflow runs, and assessing if the repository is using any automation tools that may have caused false positive alerts.