fettpl
9df5a07640
ci: pin all GitHub Actions to full SHA digests
...
Pin every third-party GitHub Action to its current commit SHA with a
version comment, eliminating supply chain risk from mutable version
tags. Mutable tags (v4, v2, etc.) can be force-pushed by upstream
maintainers; SHA digests are immutable.
18 unique actions pinned across 9 workflow files.
Closes #357
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 17:32:18 +01:00
Will Sarg
7a66ce15c5
ci: route trusted security and workflow checks to self-hosted ( #370 )
2026-02-16 10:58:45 -05:00
Will Sarg
82ffb36f90
chore(ci): document and harden workflow pipeline ( #241 )
...
* docs(ci): add CI workflow map and cross-links
* chore(ci): harden workflow determinism and safety
* chore(ci): address workflow review feedback
* style(ci): normalize workflow and ci-map formatting
2026-02-15 20:42:47 -05:00
Chummy
c80b118963
fix(docker): pin builder to bookworm to avoid glibc runtime mismatch
...
* fix(docker): pin builder to bookworm for glibc compatibility
* ci: skip rust lint on non-Rust PRs and allow 0BSD
* ci: pin actionlint action to existing release tag
* ci: make docs-only matcher shellcheck-clean
---------
Co-authored-by: chumyin <chumyin@users.noreply.github.com>
2026-02-15 15:03:29 -05:00
Chummy
dfe648d5ae
chore(ci): establish PR governance for agent collaboration ( #177 )
...
* chore(ci): establish PR governance for agent collaboration
* docs: add AGENTS playbook and strengthen agent collaboration workflow
---------
Co-authored-by: chumyin <183474434+chumyin@users.noreply.github.com>
2026-02-15 12:41:16 -05:00
