Account suspended after CI/CD release failure — two support tickets received identical templated responses

[paolovella]

Why are you starting this discussion?

Bug

What GitHub Actions topic or product is this about?

Workflow Deployment

Discussion Details

Summary
My GitHub account was suspended after a failed multi-registry release triggered rapid tag operations that were flagged by automated abuse detection. Two support tickets received the same templated response citing "activity which goes against our Terms of Service" and "Actions solely to interact with 3rd party websites." Neither response addressed the specific circumstances of my case. I'm requesting human review.
What happened
I maintain an open source Rust security engine — a monorepo with 21 crates, 1,600+ commits, 141 formal verification files, and ~511K lines of code. The project publishes to four registries (crates.io, npm, PyPI, Maven Central) via GitHub Actions on tag push.
During the v6.0.9 release, a version bump missed 5 of 30+ manifest files scattered across the workspace. The sequence:

Tagged and pushed v6.0.9 — this triggered 6 parallel CI/CD workflows
npm, PyPI, and Maven Central published from the incomplete commit
I force-pushed the tag to correct the version files — all 6 workflows re-triggered
Three registries rejected the duplicate publishes with HTTP 403 errors (npm, Maven, and PyPI all reject duplicate version numbers)
I deleted and recreated the tag attempting to fix the failed workflows
The rapid tag churn triggered GitHub's automated abuse detection
Account suspended

Why this isn't a ToS violation
The GitHub Actions workflows were standard CI/CD for an open source project:

release.yml — cross-platform binary builds → GitHub Release
publish-npm.yml — TypeScript SDK publish to npm
publish-pypi.yml — Python SDK publish to PyPI (OIDC trusted publisher)
publish-maven.yml — Java SDK publish to Maven Central (GPG signed)
docker-publish.yml — multi-arch container build → ghcr.io
provenance-sbom.yml — SLSA attestations and SBOM generation

Publishing to package registries is the standard, documented use case for GitHub Actions. The rapid tag operations were caused by a design flaw in my release pipeline (no pre-flight version check, no publish idempotency, no single orchestrator) — not by any attempt to abuse Actions for cryptocurrency mining, incentivized activity, or general-purpose computing.
What the support responses said
Both tickets received this identical response:

"any repositories that use GitHub Actions solely to interact with 3rd party websites, to engage in incentivized activities, or for general computing purposes may fall afoul of the GitHub Additional Product Terms"

My Actions workflows don't solely interact with third-party websites. They build, test, and publish an open source project — the exact purpose Actions was designed for. The third-party interactions (registry publishes) are a small part of workflows that also run cargo test, cargo check, cross-compilation, SBOM generation, and SLSA attestation.
What I've done since
I've identified the root cause and designed fixes:

Pre-flight version validation script that checks all 30+ manifest files match before tagging
Idempotency checks for all publish workflows (check if version exists before attempting publish)
Concurrency groups across all publish workflows to prevent parallel races
Single release orchestrator instead of 6 independent workflows

What I'm asking for
Human review of my account. The account contains over four years of original work including contributions to the OWASP Agentic Security Initiative. I'm happy to modify my CI/CD workflows to comply with any specific requirements, but I need to understand what specifically needs to change — the current templated response doesn't tell me that.
If the concern is the volume of Actions runs triggered by tag churn, I completely understand and the fixes above address that directly. I'm asking for a chance to fix the pipeline, not permission to repeat the mistake.
Thank you for reading.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[paolovella]

Please describe your account restriction issue. The restricted activity was caused by a CI/CD pipeline design flaw in my open source project VellaVeto (Rust security engine, 21 crates). During the v6.0.9 release:

A version bump missed 5 of 30+ manifest files
The initial tag push triggered 6 parallel GitHub Actions workflows
I force-pushed the tag to fix the version files, triggering all 6 again
Three registries (npm, Maven, PyPI) rejected the duplicate publishes with 403s
I deleted and recreated the tag attempting to fix the failed workflows

The rapid tag operations triggered your abuse detection. This was not automated interaction with third-party websites or incentivized activity — it was a failed release attempt on my own project caused by missing idempotency checks in my publish workflows.
I have since identified the design gaps and am building a release orchestration script that validates all manifests before tagging and adds idempotency checks to all publish workflows. I'm requesting reinstatement of my account which contains 1,600+ commits of original open source work.

What is the username associated with the account that is restricted?
vellaveto

What is the primary email address associated with the account that is restricted?
wizzerdek@gmail.com

What is the account restriction?
My account is suspended

Do you need assistance removing domains or content from repositories?
No

Provide any previous ticket or reference numbers from us about this issue, if any.
#4180915