uppy/.github/workflows
Kevin van Zonneveld 0e09bd2096
Harden dependency installs (#6291)
## Why
Recent npm supply-chain compromises showed that dependency installs and
shared CI caches can execute or preserve newly published malicious
packages before advisories catch up. This PR reduces that exposure for
this repo.

## What changed
- Made eligible Yarn installs immutable and removed shared dependency
caching from the manual CDN upload path; existing minimal age gate
remains unchanged.

## Validation
- Ran `git diff --check` across the prepared worktree.
- Audited this PR set for `pull_request_target` and release/deploy/CDN
cache reuse; patched actionable hits.
- Did not run the full test suite; this is a workflow/config-only
change.
2026-05-12 14:14:10 +02:00
..
bundlers.yml Harden dependency installs (#6291) 2026-05-12 14:14:10 +02:00
ci.yml Harden dependency installs (#6291) 2026-05-12 14:14:10 +02:00
companion-deploy.yml ci: remove qemu from companion edge deploy workflow (#6282) 2026-05-10 13:00:03 +08:00
lockfile_check.yml build(deps): bump actions/cache from 4 to 5 (#6108) 2025-12-15 10:24:10 +01:00
manual-cdn.yml Harden dependency installs (#6291) 2026-05-12 14:14:10 +02:00
release.yml build(deps): bump docker/build-push-action from 6.15.0 to 6.19.2 (#6183) 2026-02-19 10:02:54 +01:00