Release commits not being part of the repository is a security issue. #705
Description
I noticed all of the release commits are orphaned and produce the following warning:
Warning
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is a concerning security issue as this is the exact attack vector used in the recent tj-actions incident. The release tags were force-pushed to an orphaned, malicious commit, here there would be no way tell that this happened.
I suspect you do this to keep the repo size small for cloning the action, which is considerate but I think a separate release branch containing only the dist/ would be a better compromise.