Harden client session, billing and audio-restore paths #23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release hygiene | |
| # Enforces the open-core boundary on every push / PR: no closed-core paths and | |
| # no live secrets may enter the public repository. See scripts/check_release_hygiene.py. | |
| on: | |
| push: | |
| branches: ["**"] | |
| pull_request: | |
| branches: ["**"] | |
| permissions: | |
| contents: read | |
| jobs: | |
| hygiene: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # full history so the --history scan is meaningful | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Scan tracked tree and history for leaks | |
| run: python scripts/check_release_hygiene.py --history |