mirror of
https://github.com/docker/compose.git
synced 2026-07-11 18:54:35 +00:00
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection. Signed-off-by: Guillaume Lours <glours@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| ISSUE_TEMPLATE | ||
| workflows | ||
| CODEOWNERS | ||
| dependabot.yml | ||
| PULL_REQUEST_TEMPLATE.md | ||
| SECURITY.md | ||
| stale.yml | ||