* Include `pin*` extras in lockfile
* Fix and clean up `devscripts/update_requirements.py`
* Improve release channel documentation
* Remove false statement from `--prefer-insecure` documentation
* Assorted code cleanup
* Set `GH_TELEMETRY=false` in CI/CD whenever `gh` is used
* Add comments about required checks in CI workflows
* Run `test-workflows.yml` for every PR so its checks can be required
* Verify actionlint attestation in CI
* Remove zizmor version to reduce workflow maintenance burden
(zizmor-action handles pinning on its end)
Authored by: bashonly
* NOTE: the release workflows' new handling of secrets
may be a breaking change for forks that are using any secrets
other than GPG_SIGNING_KEY or ARCHIVE_REPO_TOKEN.
Previously, the release workflow would try to resolve a token
secret name based on the `target` or `source` input,
e.g. NIGHTLY_ARCHIVE_REPO_TOKEN or CUSTOM_ARCHIVE_REPO_TOKEN,
and then fall back to using the ARCHIVE_REPO_TOKEN secret if the
resolved token secret name was not found in the repository.
This behavior has been replaced by the release workflow
always using the ARCHIVE_REPO_TOKEN secret as the token
for publishing releases to any external archive repository.
* Add zizmor CI job for auditing workflows
* Pin all actions to commit hashes instead of symbolic references
* Explicitly set GITHUB_TOKEN permissions at the job level
* Use actions/checkout with `persist-credentials: false` whenever possible
* Remove/replace template expansions in workflow scripts
* Remove all usage of actions/cache from build/release workflows
* Remove the cache-warmer.yml workflow
* Remove the unused download.yml workflow
* Set concurrency limits for any workflows that are triggered by PRs
* Avoid loading the entire secrets context
* Replace usage of `secrets: inherit` with explicit `secrets:` blocks
* Pin all external docker images to hash that are used by the build workflow
* Explicitly set `shell: bash` for some steps to avoid pwsh or set pipefail
* Ensure any pwsh steps will fail on non-zero exit codes
Authored by: bashonly
