## Actions - [ ] Enable secret scanning push protection on this repo (Settings → Code security) - [ ] Annual rotation: generate new key → update secret → verify sync → revoke old key - [ ] Set up yearly reminder (calendar or scheduled issue-opening workflow) - [ ] Audit whether `WEBHOOK_SECRET` is actually used in Actions-only mode _Audit report — section 4_
Actions
WEBHOOK_SECRETis actually used in Actions-only modeAudit report — section 4