* CI: reduce default permissions to minimum
* CI: update pin actions
Most of them. CodeQL and action-gh-release is untouched for now.
Immutable actions and actions/* are pinned to version,
other actions are pinned to hash.
* CI: make use of archive: false in upload-artifact
also set compression level and error behavior for scan-build upload.
* CI: update codeql and enable scanning actions
* Initial content-based labeling
* Improve labeling rules around docs and /worlds/generic
* Improve labeling rules around docs and webhost
* Formatting
* Update matching for webhost
* back to square 1 on is:docu
* Try a better glob for docs
* Formatting
* Manage PR state labels
* Correct syntax for conditions
* Correct syntax for conditions
* add trigger on reopening
* add trigger on closing
* keep labels in sync as pr updates
* Change edit event to sync
* Restrict only to PRs to main
* address review comments
* apply only to PRs into main
