rules:
  # pull_request_target is required for workflows that need write access
  # on PRs from forks (e.g. labeling, commenting). We audit these manually.
  dangerous-triggers:
    disable: true

  # moda-ci uses reusable workflows (uses:) which don't support job-level
  # permissions. id-token:write and attestations:write are needed by docker-image
  # for attestation but can't be scoped to that job alone.
  excessive-permissions:
    ignore:
      - moda-ci.yaml

  # actions/* has immutable tags, so ref-pinning is sufficient.
  # github/internal-actions is a private GitHub org repo, ref-pin is fine.
  # Everything else must be hash-pinned.
  unpinned-uses:
    config:
      policies:
        'actions/*': ref-pin
        'github/internal-actions/*': ref-pin
        '*': hash-pin