fair enough... separating build and publish actions, and using artifacts from one to the other can help limit exposure to just the publish yaml.
Though, one should be very leery of anything that touches certain paths... for the most part, I tent to use scripts/npm/ for anything run from package.json and would also watch out for any changes in .github/
It depends on a bit of due diligence. It's not any different than other CI/CD platforms in any meaningful way.
Though, one should be very leery of anything that touches certain paths... for the most part, I tent to use scripts/npm/ for anything run from package.json and would also watch out for any changes in .github/
It depends on a bit of due diligence. It's not any different than other CI/CD platforms in any meaningful way.