compose/.github/workflows
Guillaume Lours 336f21f846 ci: harden GitHub Actions workflows
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the
vulnerable range of CVE-2025-24362 and the v2 line has no patched
release, so bump to v3.36.3. Scope the release job to tag refs so its
contents:write token is only minted when a release is actually
created. In merge.yml, drop a dead conditional (workflow only triggers
on push) and pass DOCKERDESKTOP_REPO to github-script via env rather
than inline interpolation, as recommended against script injection.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-07-07 10:56:13 +02:00
..
ci.yml ci: harden GitHub Actions workflows 2026-07-07 10:56:13 +02:00
docs-upstream.yml ci: fix docs-upstream workflow 2026-07-06 17:29:12 +02:00
merge.yml ci: harden GitHub Actions workflows 2026-07-07 10:56:13 +02:00
pr-review-trigger.yml fix zizmor findings 2026-07-06 17:11:24 +02:00
pr-review.yml fix zizmor findings 2026-07-06 17:11:24 +02:00
scorecards.yml ci: harden GitHub Actions workflows 2026-07-07 10:56:13 +02:00
stale.yml fix zizmor findings 2026-07-06 17:11:24 +02:00
zizmor.yml ci: zizmor workflow 2026-07-06 17:11:24 +02:00