You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
### π Changelog
This PR hardens the `xdeployer`'s GitHub Actions workflows _end to end_.
Every workflow now _defaults_ to `permissions: {}`, with minimal grants
added per job, a `timeout-minutes` bound on every job, and
`persist-credentials: false` on all checkout steps. Third-party actions
and selected tooling dependencies are pinned to immutable commit `SHA`s
or exact versions instead of mutable tags, and the `npm` publish script
now runs under `set -Eeuo pipefail` with quoted variables. The CodeQL
workflow switches to explicit `build-mode: none`, dropping the
now-redundant Autobuild step. These workflow changes are backed by three
repository settings updates: "_Require actions to be pinned to a
full-length commit SHA_" is now enabled, the default workflow
permissions are restricted to "_Read repository contents and packages
permissions_" only, and "_Allow GitHub Actions to create and approve
pull requests_" is now disabled.
---------
Signed-off-by: pcaversaccio <pascal.caversaccio@hotmail.ch>
0 commit comments