A workspace-local composite action (.github/actions/start-temporal-dev-server/action.yml) was being invoked from PR workflows after Doppler/OIDC tokens were materialized, which allows PR-controlled repository content to execute with privileged CI environment variables.
The intent is to eliminate that mutable execution point so sensitive tokens (Doppler/GH OIDC) are not exposed to PR-controlled action metadata.
Preserve existing Temporal startup behavior (pinned image, namespaces, readiness gate) while removing the insecure pattern.
Description
Replaced uses: ./.github/actions/start-temporal-dev-server with an inline run: | block that contains the exact Temporal dev-server startup, namespace creation, and readiness loop in three PR-facing workflows.
Removed the workspace-local composite action file at .github/actions/start-temporal-dev-server/action.yml so PR content can no longer change action metadata that would run after secrets are exported.
Kept the same pinned Temporal image digest, namespace list, and readiness gating logic to preserve prior CI behavior.
Testing
Verified there are no remaining uses: ./.github/actions/start-temporal-dev-server occurrences with rg, and the search returned no matches (success).
Parsed the three modified workflow YAML files with Ruby's YAML.load_file to ensure valid syntax (success).
Attempted to run a Python PyYAML validation but the environment lacked PyYAML so that particular check could not run (skipped/failure); actionlint was not available in the environment so that linter check was skipped.
@kaavee315checks…codex/fix-pr-workflows-executing-local-actions → master4 files · +90 −45review: @acsrujanreview: @abir-taheerreview: @anshugarg15updated 1w ago