GitHub Actions: Are there security concerns using an external action in a workflow job?

If you use ftp-action@master then every time your workflow runs it will fetch the master branch of the action and build it. So yes, I believe it would be possible for the owner to change the code to capture secrets and send them to an external server under their control.

What you can do to avoid this is use a specific version of the action and review their code. You can use a commit hash to refer to the exact version you want, such as ftp-action@efa82c9e876708f2fedf821563680e2058330de3. You could use a tag if it has release tags. e.g. [email protected] Although, this is maybe not as secure because tags can be changed.

Alternatively, and probably the most secure, is to fork the action repository and reference your own copy of it. my-fork/ftp-action@master.