From ea0121618bb39abc1cff180c258978a02d4e04fd Mon Sep 17 00:00:00 2001
From: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 23:01:59 -0700
Subject: [PATCH] ci: remove publish-immutable-action workflow (#361)

The `publish-immutable-action` workflow uses `actions/publish-immutable-action@v0.0.4`. The Immutable Actions Publishing feature (OCI-based) has been paused with no GA timeline. This removes the workflow; it can be re-added when the feature becomes generally available.

To fully address #352, the repository-level **immutable releases** setting has also be enabled. This [feature](https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/) locks release tags and assets after publication, directly preventing the class of attack described in [GHSA-mrrh-fwg8-r2c3](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3).

The existing release workflow is compatible with immutable releases. Build artifacts are committed via `@semantic-release/git` before the tag is created, and major version tags (`v3`, etc.) are plain git tags (not releases) so they remain updatable.
---
 .github/workflows/publish-immutable-action.yml | 17 -----------------
 1 file changed, 17 deletions(-)
 delete mode 100644 .github/workflows/publish-immutable-action.yml

diff --git a/.github/workflows/publish-immutable-action.yml b/.github/workflows/publish-immutable-action.yml
deleted file mode 100644
index dd783de..0000000
--- a/.github/workflows/publish-immutable-action.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-name: 'Publish Immutable Action'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-    steps:
-      - uses: actions/checkout@v6
-      - name: Publish Immutable Action
-        uses: actions/publish-immutable-action@v0.0.4