* chore(workflows): complete migration to Blacksmith cloud runners
Migrate remaining workflows from self-hosted axecap runners to Blacksmith:
- docker.yml: publish job
- release.yml: publish job
- security.yml: audit and deny jobs (conditional on push events)
This completes the transition away from self-hosted infrastructure.
Axecap runner registrations (IDs 21, 22) have been removed.
All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency.
* Merge branch 'main' into selfhost-blacksmith
* ci: add SHA256 checksums to release artifacts
Generate a SHA256SUMS file after downloading all build artifacts and
include it in the GitHub Release. Users can verify download integrity
with `sha256sum -c SHA256SUMS`.
Closes#358
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* ci: whitelist lxc-ci self-hosted runner label for actionlint
Add actionlint.yaml config to declare lxc-ci as a known custom label
for self-hosted runners, fixing the actionlint CI check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Pin every third-party GitHub Action to its current commit SHA with a
version comment, eliminating supply chain risk from mutable version
tags. Mutable tags (v4, v2, etc.) can be force-pushed by upstream
maintainers; SHA digests are immutable.
18 unique actions pinned across 9 workflow files.
Closes#357
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
