5 Commits

Author SHA1 Message Date
bo0tzz
504930947d
fix: various actions workflow security improvements (#17651)
* fix: set persist-credentials explicitly for checkout

https://woodruffw.github.io/zizmor/audits/#artipacked

* fix: minimize permissions scope for workflows

https://woodruffw.github.io/zizmor/audits/#excessive-permissions

* fix: remove potential template injections

https://woodruffw.github.io/zizmor/audits/#template-injection

* fix: only pass needed secrets in workflow_call

https://woodruffw.github.io/zizmor/audits/#secrets-inherit

* fix: push perm for single-arch build jobs

I hadn't realised these push to the registry too :x

* chore: fix formatting

* fix: $

* fix: retag job quoting

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-18 15:10:27 -05:00
Nicholas Flamy
9e015c7f97
feat: lint workflow files and others files in .github (#16914)
* add npm prettier dep and format script to .github folder

* initial work on prettier formatting test

* attempt index notation

* change name of .github job to be valid

* another use of index notation

this is getting overcomplicated

* Change job ID to `github-files-formatting` and chane the name to `.github Files Checks`

* Change job name to `.github Files Formatting`

* Update Makefile with .github module and `filter-out`s

* run prettier formatting as added in this PR
2025-03-24 10:49:18 -05:00
renovate[bot]
9105e696bf
chore(deps): pin github action dependencies (#16923)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-17 17:25:14 +00:00
bo0tzz
9c825e15de
fix: run preview label remove job on PR close (#16811)
🤦
2025-03-11 15:26:09 +00:00
bo0tzz
ca9e02379d
feat: remove preview label on pr close (#16249) 2025-02-21 17:54:11 +01:00