⚙️ Updating workflow based on audit (#7740 )

* updating workflows with audit feedback * release notes
2026-05-07 20:38:54 -05:00 · 2026-05-07 20:26:12 +00:00
9 changed files with 16 additions and 0 deletions
--- a/.github/workflows/cut-release-branch.yml
+++ b/.github/workflows/cut-release-branch.yml
@@ -26,6 +26,7 @@ permissions:
 jobs:
  cut-release-branch:
    runs-on: ubuntu-latest
+    environment: release
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/docker-edge.yml
+++ b/.github/workflows/docker-edge.yml
@@ -32,6 +32,7 @@ jobs:
    if: github.event_name == 'workflow_dispatch' || !github.event.repository.fork
    name: Build Docker image
    runs-on: ubuntu-latest
+    environment: release
    strategy:
      matrix:
        os: [ubuntu, alpine]
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -27,6 +27,7 @@ jobs:
  build:
    name: Build Docker image
    runs-on: ubuntu-latest
+    environment: release
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
--- a/.github/workflows/electron-master.yml
+++ b/.github/workflows/electron-master.yml
@@ -21,6 +21,7 @@ jobs:
    # this is so the assets can be added to the release
    permissions:
      contents: write
+    environment: release
    strategy:
      fail-fast: false
      matrix:
@@ -123,6 +124,7 @@ jobs:
  publish-microsoft-store:
    needs: build
    runs-on: windows-latest
+    environment: release
    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
    steps:
      - name: Install StoreBroker
--- a/.github/workflows/netlify-release.yml
+++ b/.github/workflows/netlify-release.yml
@@ -19,6 +19,7 @@ concurrency:
 jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
+    environment: release
    steps:
      - name: Repository Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/publish-flathub.yml
+++ b/.github/workflows/publish-flathub.yml
@@ -21,6 +21,7 @@ concurrency:
 jobs:
  publish-flathub:
    runs-on: ubuntu-22.04
+    environment: release
    steps:
      - name: Resolve version
        id: resolve_version
--- a/.github/workflows/publish-nightly-electron.yml
+++ b/.github/workflows/publish-nightly-electron.yml
@@ -27,6 +27,7 @@ jobs:
          - windows-latest
          - macos-latest
    runs-on: ${{ matrix.os }}
+    environment: release
    if: github.event.repository.fork == false
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/publish-npm-packages.yml
+++ b/.github/workflows/publish-npm-packages.yml
@@ -87,6 +87,7 @@ jobs:
    runs-on: ubuntu-latest
    name: Publish npm packages
    needs: build-and-pack
+    environment: release
    permissions:
      contents: read
      packages: write
@@ -105,6 +106,7 @@ jobs:
          node-version: 24
          check-latest: true
          registry-url: 'https://registry.npmjs.org'
+          cache: false

      - name: Publish Core
        run: |
--- a/upcoming-release-notes/7740.md
+++ b/upcoming-release-notes/7740.md
@@ -0,0 +1,6 @@
+---
+category: Maintenance
+authors: [MikesGlitch]
+---
+
+Improve Github workflows with suggestions from the code scan.