The threat actors seem to be targeting repositories that have GitHub Actions enabled in order to be able to add malicious Actions and fill Pull Requests aimed at executing malicious attacker code.