polymech/zeroclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d1fffc3b74
zeroclaw/.github/workflows
History
Simian Astronaut 7 d1fffc3b74 fix(ci): scope release workflow permissions per-job 
Narrow workflow-level permissions to contents:read and grant
write access only to the specific jobs that need it (publish
gets contents:write, docker gets packages:write). Reduces blast
radius if a build step is compromised (P1 finding).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 01:09:51 -04:00
..
checks-on-pr.yml fix(ci): SHA-pin all third-party GitHub Actions 2026-03-10 01:09:32 -04:00
cross-platform-build-manual.yml fix(ci): SHA-pin all third-party GitHub Actions 2026-03-10 01:09:32 -04:00
master-branch-flow.md ci(workflows): rename workflow files and add lint + security jobs 2026-03-10 00:17:54 -04:00
README.md chore: update .gitignore, CODEOWNERS, and dependabot configuration 2026-03-07 21:05:23 -05:00
release-beta-on-push.yml fix(ci): scope release workflow permissions per-job 2026-03-10 01:09:51 -04:00
release-stable-manual.yml fix(ci): scope release workflow permissions per-job 2026-03-10 01:09:51 -04:00

README.md

Workflow Directory Layout

GitHub Actions only loads workflow entry files from:

  • .github/workflows/*.yml
  • .github/workflows/*.yaml

Subdirectories are not valid locations for workflow entry files.

Repository convention:

  1. Keep runnable workflow entry files at .github/workflows/ root.
  2. Keep cross-tooling/local CI scripts under dev/ or scripts/ci/ when used outside Actions.

Workflow behavior documentation in this directory:

  • .github/workflows/master-branch-flow.md