Skip to content

chore: require approval for release-sensitive workflows#8

Merged
nikuscs merged 1 commit into
mainfrom
security/harden-release-approval
May 12, 2026
Merged

chore: require approval for release-sensitive workflows#8
nikuscs merged 1 commit into
mainfrom
security/harden-release-approval

Conversation

@nikuscs
Copy link
Copy Markdown
Owner

@nikuscs nikuscs commented May 12, 2026

Summary

  • add a fork-origin guard to PR-triggered CI so fork PR jobs do not run
  • disable persisted checkout credentials in CI checkout
  • bind tag creation and failure cleanup jobs to the protected release environment
  • keep Apple notarization/signing and Sparkle signing under the existing protected release environment

Validation

  • parsed workflow YAML locally
  • ran git diff --check
  • verified release environment has required reviewers configured

Notes

  • This PR intentionally does not restrict allowed_actions; that remains deferred to avoid broad workflow churn.

@nikuscs nikuscs requested a review from sousavf as a code owner May 12, 2026 09:42
@nikuscs nikuscs merged commit 695e9fc into main May 12, 2026
1 check passed
@nikuscs nikuscs deleted the security/harden-release-approval branch May 12, 2026 11:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sousavf sousavf Awaiting requested review from sousavf sousavf is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nikuscs