Дерево: 7d46add4e1

Jon Ross-Perkins 6572da7314 Add dwblaikie as a toolchain reviewer (#4820)		1 рік тому
..
README.md	b73387fc84 Update workflows for security hardening. (#4192)	1 рік тому
auto_assign_prs.yaml	6572da7314 Add dwblaikie as a toolchain reviewer (#4820)	1 рік тому
auto_label_prs.yaml	145c44b66c Move the language server into toolchain's busybox. (#4469)	1 рік тому
clang_tidy.yaml	f52ae6afa7 Fix clang-tidy to run on the merge queue (#4773)	1 рік тому
discord_wiki.yaml	17abaa2bca Fix stray quote in action (#4193)	1 рік тому
gh_pages_ci.yaml	b6396e97f8 Build a website. (#4189)	1 рік тому
gh_pages_deploy.yaml	b6396e97f8 Build a website. (#4189)	1 рік тому
nightly_release.yaml	f8e60a8ec1 Fix path to carbon binary in nightly builder (#4737)	1 рік тому
pre_commit.yaml	9af06cc988 Adjust some build troubleshooting notes (#4471)	1 рік тому
pre_commit_suggestions.yaml	b73387fc84 Update workflows for security hardening. (#4192)	1 рік тому
proposal_labeled.yaml	b73387fc84 Update workflows for security hardening. (#4192)	1 рік тому
proposal_ready.yaml	b73387fc84 Update workflows for security hardening. (#4192)	1 рік тому
sync_repos.yaml	b73387fc84 Update workflows for security hardening. (#4192)	1 рік тому
tests.yaml	249709cb49 Split out clang-tidy to not run in merge (#4428)	1 рік тому
triage_inactive.yaml	b73387fc84 Update workflows for security hardening. (#4192)	1 рік тому

Workflows

Hardening

Workflows are hardened using Step Security tool. Findings for the "Harden Runner" steps are available online.

Most jobs only have a few endpoints, but due to tools which do downloads, a few have significantly more. These are:

When updating one of these, consider updating all of them.

We try to keep allowed-endpoints with one per line. Prettier wants to wrap them, which we fix this with prettier-ignore.

We keep around an action-test branch in carbon-lang, which can be used to test triggers with push: configurations. For example:

on:
  push:
    branches: [action-test]