* security: pin GitHub Actions to commit SHAs, add gitleaks CI
- Pin all 5 actions (checkout, setup-bun, upload-artifact, download-artifact,
action-gh-release) to commit SHAs across 3 workflow files
- Add permissions: contents: read to test.yml and e2e.yml
- Add gitleaks secret scanning job to test.yml
- Pin openclaw install to v2026.4.9 in e2e.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* security: add .gitleaks.toml config
Allowlists test fixtures, example env files, and skill documentation
to prevent false positives from the gitleaks CI step.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add GitHub Actions SHA maintenance rule to CLAUDE.md
Instructs /ship and /review to check for stale SHA pins and update
them, keeping action versions fresh without manual effort.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add S3 Sig V4 TODO from CSO audit
Deferred from security audit. S3 storage backend accepts credentials
but sends unsigned requests. Implement when S3 becomes a real
deployment path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: bump version and changelog (v0.4.2)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
eb218a96ad