Replace all template expansions in code contexts with environment
variable substitutions. Template expansion in code contexts can be a
source of code injection vulnerabilities; for more info, see:
https://docs.zizmor.sh/audits/#template-injection
The default workflow permissions are overly broad; setting permissions
explicitly at the workflow level ensures excessive permissions are not
unintentionally granted to jobs. For details, see:
https://docs.zizmor.sh/audits/#excessive-permissions
Set `persist-credentials: false` for all uses of `actions/checkout`.
This prevents git credentials from being stored on disk, and fixes the
following Zizmor audit:
https://docs.zizmor.sh/audits/#artipacked
Setting the label `ci:skip-news` will skip the job. This is useful for
maintainers to indicate to contributors that a feature isn't big enough
to warrant a news entry, or for contributors who dislike red CI even if
there's nothing wrong.
Also change label `ci-s390x` to `ci:s390x`; this way it'll be easier to
see that `ci:` are a subcategory of labels that affect CI in some way.
If any commit message in the PR is either of type "feat" or is a
breaking change, then there's a high probability that news.txt should be
updated. Give an error if news.txt hasn't been updated in that case.
This workflow cannot 100% correctly determine if news.txt should be
updated even if the commit messages were exactly correct. The entries in
news.txt is determined by changes between releases, while the commit
messages are based on the master branch. While it is an approximation,
it is still a useful enough one that it's still valuable to have this
job as a reminder even if it gives an error if it shouldn't. In these
cases it is perfectly fine to ignore the failure for this job.
