Suggestion: default limit-access-to-actor to true

[tbodt]

It seems to me that defaulting to security enabled rather than disabled is a good idea.

[dscho]

But what about users who do not have any SSH keys uploaded to their GitHub profile?

[gar1t]

I think this is a good idea. If there's no public key to install, the action should fail with a message (e.g. link to online docs) describing what to do: either change the setting, which is easy or install a public key, also pretty easy.