Another "user" started doing this too, so I guess my whitelisting of allowed actions wasn't enough to block the shell commands in the action. I'll just have to disable actions altogether for the moment.

GitHub have since added a form option for cryptocurrency mining when reporting abuse: