Severity: Info
File: .github/workflows/tmp.yml
Description:
The workflow is literally named tmp, triggered only via workflow_dispatch, and carries no header comment explaining its purpose. The body appears to run winget install on build tools (Inno Setup, etc.) on a Windows runner, suggesting it is a one-off cache/prep or smoke test for CI toolchain availability. Living in main under a throwaway name makes it hard for maintainers or auditors to know whether it is still load-bearing — and a workflow_dispatch-only workflow in a public repo invites confused contributors to run it without context.
name: tmp
on:
workflow_dispatch:
jobs:
setup-tools:
runs-on: windows-latest
steps:
- name: Install or Upgrade Inno Setup
shell: pwsh
run: winget install -e --id JRSoftware.InnoSetup --version 6.6.1 ...Suggested fix:
Either (a) rename and document — e.g. ci-toolchain-bootstrap.yml with a header block stating when/why to dispatch — or (b) delete it if it has been superseded by the setup action in .github/actions/setup-dotnet/. While touching it, add a permissions: contents: read block (see the companion ticket on missing-permissions for changelog/sbom/tmp).
Severity: Info
File:
.github/workflows/tmp.ymlDescription:
The workflow is literally named
tmp, triggered only viaworkflow_dispatch, and carries no header comment explaining its purpose. The body appears to runwinget installon build tools (Inno Setup, etc.) on a Windows runner, suggesting it is a one-off cache/prep or smoke test for CI toolchain availability. Living inmainunder a throwaway name makes it hard for maintainers or auditors to know whether it is still load-bearing — and aworkflow_dispatch-only workflow in a public repo invites confused contributors to run it without context.Suggested fix:
Either (a) rename and document — e.g.
ci-toolchain-bootstrap.ymlwith a header block stating when/why to dispatch — or (b) delete it if it has been superseded by the setup action in.github/actions/setup-dotnet/. While touching it, add apermissions: contents: readblock (see the companion ticket on missing-permissions for changelog/sbom/tmp).