chore: harden workflow configuration

Release-As: 2.0.1

Author: hesreallyhim

.github/workflows/README.md

@@ -1,6 +1,6 @@
 # Workflow Maintenance
 
-`self-test.yml` and `realistic-test.yml` are generated by
+`self-test.yml.disabled` and `realistic-test.yml.disabled` are generated by
 `scripts/generate-self-test.ts`.
 
 Do not edit those generated workflow files directly, including GitHub Action
@@ -9,3 +9,12 @@ version or SHA pin changes. Update the generator, then run:
 ```sh
 npm run generate:self-test
 ```
+
+Both self-test workflows are intentionally disabled for now. They preserve live
+GitHub API usage scenarios that exercise this action through an external
+repository ref, but they have not been part of regular maintenance and can add
+Scorecard noise because of that external ref.
+
+If a future Scorecard scan still treats `*.yml.disabled` files under
+`.github/workflows` as active build inputs, move these generated files out of
+`.github/workflows`.

.github/workflows/ci.yml

@@ -12,7 +12,6 @@ concurrency:
 
 permissions:
   contents: read
-  actions: write
 
 jobs:
   build:
@@ -44,7 +43,7 @@ jobs:
         run: npm run generate:self-test
 
       - name: Verify self-test workflows are up to date
-        run: git diff --exit-code -- .github/workflows/self-test.yml .github/workflows/realistic-test.yml scripts/self-test-manifest.json
+        run: git diff --exit-code -- .github/workflows/self-test.yml.disabled .github/workflows/realistic-test.yml.disabled scripts/self-test-manifest.json
 
       - name: Typecheck
         run: npm run typecheck
@@ -79,7 +78,7 @@ jobs:
         run: npm run generate:self-test
 
       - name: Verify self-test workflows are up to date
-        run: git diff --exit-code -- .github/workflows/self-test.yml .github/workflows/realistic-test.yml scripts/self-test-manifest.json
+        run: git diff --exit-code -- .github/workflows/self-test.yml.disabled .github/workflows/realistic-test.yml.disabled scripts/self-test-manifest.json
 
       - name: Typecheck
         run: npm run typecheck

.github/workflows/realistic-test.yml …ub/workflows/realistic-test.yml.disabled.github/workflows/realistic-test.yml renamed to .github/workflows/realistic-test.yml.disabled .github/workflows/realistic-test.yml renamed to .github/workflows/realistic-test.yml.disabled

@@ -6,12 +6,14 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/release-please.yml

@@ -53,7 +53,7 @@ regressions and to verify the poller and post hook behave as expected.
 
 ### What they are
 
-- Workflow files: `.github/workflows/self-test.yml` and `.github/workflows/realistic-test.yml`
+- Workflow files: `.github/workflows/self-test.yml.disabled` and `.github/workflows/realistic-test.yml.disabled`
 - Generator: `scripts/generate-self-test.ts`
 - Scenarios manifest: `scripts/scenarios.ts` (inputs) and `scripts/self-test-manifest.json` (generated)
 - Scenario runner: `scripts/run-scenario.mjs`
@@ -64,19 +64,19 @@ regressions and to verify the poller and post hook behave as expected.
 
 - **Source of truth**: `scripts/scenarios.ts` defines all scenarios.
 - Run `npm run generate:self-test` to regenerate:
-  - `.github/workflows/self-test.yml`
-  - `.github/workflows/realistic-test.yml` (only if realistic scenarios exist)
+  - `.github/workflows/self-test.yml.disabled`
+  - `.github/workflows/realistic-test.yml.disabled` (only if realistic scenarios exist)
   - `scripts/self-test-manifest.json`
 - Do not hand-edit the generated workflow files. The header in each workflow
   indicates they are auto-generated.
 
 ### When and why to run
 
-- Use **Self-Test** (`self-test.yml`) for quick regression checks after changes
-  to reducer logic, polling behavior, state handling, or output formatting.
-- Use **Realistic Test** (`realistic-test.yml`) for longer-duration behavior or
-  more production-like traffic patterns. This is intentionally separate to avoid
-  slowing normal self-tests.
+- `self-test.yml.disabled` preserves the shorter controlled regression scenarios
+  for reducer logic, polling behavior, state handling, and output formatting.
+- `realistic-test.yml.disabled` preserves the longer-duration, production-like
+  traffic pattern as an inactive workflow. Re-enable it only for deliberate
+  soak-test work or after adding assertions that make it useful as a CI signal.
 - Both workflows require `diagnostics: true` so they can download and analyze
   the diagnostics artifact. This is handled in the generator.
 

.github/workflows/self-test.yml .github/workflows/self-test.yml.disabled.github/workflows/self-test.yml renamed to .github/workflows/self-test.yml.disabled

@@ -14,13 +14,13 @@ import { SCENARIOS } from "./scenarios.js";
 import type { Scenario } from "./scenarios.js";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const workflowPath = join(__dirname, "..", ".github", "workflows", "self-test.yml");
+const workflowPath = join(__dirname, "..", ".github", "workflows", "self-test.yml.disabled");
 const realisticWorkflowPath = join(
   __dirname,
   "..",
   ".github",
   "workflows",
-  "realistic-test.yml"
+  "realistic-test.yml.disabled"
 );
 const manifestPath = join(__dirname, "self-test-manifest.json");
 const ARTIFACT_PREFIX = "github-api-usage-monitor";