* NOTE: the release workflows' new handling of secrets
may be a breaking change for forks that are using any secrets
other than GPG_SIGNING_KEY or ARCHIVE_REPO_TOKEN.
Previously, the release workflow would try to resolve a token
secret name based on the `target` or `source` input,
e.g. NIGHTLY_ARCHIVE_REPO_TOKEN or CUSTOM_ARCHIVE_REPO_TOKEN,
and then fall back to using the ARCHIVE_REPO_TOKEN secret if the
resolved token secret name was not found in the repository.
This behavior has been replaced by the release workflow
always using the ARCHIVE_REPO_TOKEN secret as the token
for publishing releases to any external archive repository.
* Add zizmor CI job for auditing workflows
* Pin all actions to commit hashes instead of symbolic references
* Explicitly set GITHUB_TOKEN permissions at the job level
* Use actions/checkout with `persist-credentials: false` whenever possible
* Remove/replace template expansions in workflow scripts
* Remove all usage of actions/cache from build/release workflows
* Remove the cache-warmer.yml workflow
* Remove the unused download.yml workflow
* Set concurrency limits for any workflows that are triggered by PRs
* Avoid loading the entire secrets context
* Replace usage of `secrets: inherit` with explicit `secrets:` blocks
* Pin all external docker images to hash that are used by the build workflow
* Explicitly set `shell: bash` for some steps to avoid pwsh or set pipefail
* Ensure any pwsh steps will fail on non-zero exit codes
Authored by: bashonly
bashonly