mirror of
https://github.com/better-auth/better-auth.git
synced 2026-07-17 17:01:18 -05:00
30 lines
1.5 KiB
YAML
30 lines
1.5 KiB
YAML
# Policy: fix shell-injection, cache, and credential-persistence findings.
|
|
# Suppress only intentional metadata-only workflows, and state the trust
|
|
# boundary so future workflow changes do not mix privilege with PR code.
|
|
rules:
|
|
dangerous-triggers:
|
|
ignore:
|
|
# Intentional: this workflow only reads PR title metadata via GitHub API,
|
|
# never checks out fork code. The pull_request_target trigger is required
|
|
# for the action to post/delete PR comments.
|
|
- semantic-pull-request.yml
|
|
# Intentional: reads .changeset/*.md content via GitHub API only.
|
|
# No checkout of fork code. No code execution.
|
|
- auto-retarget.yml
|
|
# Intentional: applies labels from repository-owned config only. It does
|
|
# not check out or execute PR code; pull_request_target is required so
|
|
# labels can be applied to fork PRs.
|
|
- auto-label.yml
|
|
# Intentional: creates backports for already-merged PRs or maintainer
|
|
# slash commands. Checkout persists no credentials; the action receives
|
|
# an explicit token and does not execute fork PR code.
|
|
- backport.yml
|
|
use-trusted-publishing:
|
|
ignore:
|
|
# Intentional: pkg.pr.new publishes ephemeral PR preview packages, not npm
|
|
# release artifacts. Do not add id-token: write to this pull_request
|
|
# workflow without redesigning the preview-publish trust boundary. If a
|
|
# future maintainer enables trusted publishing here, also re-evaluate
|
|
# the pull_request trigger.
|
|
- preview.yml
|