Pin actions to commit SHAs, set persist-credentials: false on every checkout, and scope token permissions to the jobs that use them. Suppress the two findings that are safe by design: the description bot's pull_request_target trigger (no fork code runs) and an intentional word-split in the docker manifest step. Clears actionlint and zizmor against dev so the blocking gate from #1314 can pass once both land. |
||
|---|---|---|
| .. | ||
| ci.yml | ||
| docker-publish.yml | ||
| issue-description-check.yml | ||
| pr-description-check.yml | ||