Ветка: trunk

Workflows

Hardening

Workflows are hardened using Step Security tool. Findings for the "Harden Runner" steps are available online.

Allowed endpoints

Most jobs only have a few endpoints, but due to tools which do downloads, a few have significantly more. These are:

clangd_tidy.yaml (Bazel)
pre_commit.yaml (Bazel, pre-commit)
nightly_release.yaml (Bazel)
tests.yaml (Bazel)

When updating one of these, consider updating all of them.

We try to keep allowed-endpoints with one per line. Prettier wants to wrap them, which we fix this with prettier-ignore.

Testing

We keep around an action-test branch in carbon-lang, which can be used to test triggers with push: configurations. For example:

on:
  push:
    branches: [action-test]