name: Security File Write Check on: pull_request: types: [opened, synchronize, reopened] workflow_call: # Called by ci-gate.yml for release pipeline workflow_dispatch: # No concurrency group — intentionally omitted. # This workflow triggers on both pull_request and workflow_call (from # ci-gate.yml / release-gate.yml). A shared concurrency key would cause # direct PR runs and workflow_call runs to cancel each other mid-flight. # See #3554 (reverted in #3599) for context. permissions: contents: read jobs: check-file-writes: name: Check for Unencrypted File Writes runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Check for potential unencrypted file writes run: ./.github/scripts/check-file-writes.sh