ulysses/.github
nopoz ed6cc88974
ci: harden existing workflows for the security gate (#3498)
Pin actions to commit SHAs, set persist-credentials: false on every
checkout, and scope token permissions to the jobs that use them. Suppress
the two findings that are safe by design: the description bot's
pull_request_target trigger (no fork code runs) and an intentional
word-split in the docker manifest step.

Clears actionlint and zizmor against dev so the blocking gate from #1314
can pass once both land.
2026-06-08 20:58:59 +02:00
..
ISSUE_TEMPLATE fix(issue-template): validate bug reports against dev, not main (#3420) 2026-06-08 11:40:41 +02:00
scripts fix(ci): restore pull-requests:write for PR label/comment writes (#3367) 2026-06-08 00:26:30 +02:00
workflows ci: harden existing workflows for the security gate (#3498) 2026-06-08 20:58:59 +02:00
pull_request_template.md docs: point PR checklist at dev (#2594) 2026-06-04 19:15:08 +02:00