compose/.github
Guillaume Lours 336f21f846 ci: harden GitHub Actions workflows
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the
vulnerable range of CVE-2025-24362 and the v2 line has no patched
release, so bump to v3.36.3. Scope the release job to tag refs so its
contents:write token is only minted when a release is actually
created. In merge.yml, drop a dead conditional (workflow only triggers
on push) and pass DOCKERDESKTOP_REPO to github-script via env rather
than inline interpolation, as recommended against script injection.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-07-07 10:56:13 +02:00
..
ISSUE_TEMPLATE fix yaml indentation 2025-07-18 11:59:56 +02:00
workflows ci: harden GitHub Actions workflows 2026-07-07 10:56:13 +02:00
CODEOWNERS CODEOWNERS: add compose-reviewers 2026-07-07 10:39:47 +02:00
dependabot.yml chore: setup dependabot for github actions 2026-07-06 17:11:24 +02:00
PULL_REQUEST_TEMPLATE.md docs: fix grammatical issues (#9997) 2022-11-29 10:52:22 -05:00
SECURITY.md Fix typo in SECURITY.md 2026-04-15 10:38:54 +02:00
stale.yml pass stal bot inactivity limit from 6 to 3 months 2024-11-12 09:37:21 +01:00