- Add maintainer authorization check to prevent unauthorized workflow execution
- Validate SHA input format to prevent injection attacks
- Add 90-minute timeout protection against runaway jobs
- Implement automatic blocking for PR synchronize events when Showtime is active
- Add unlabeled trigger support for proper label removal handling
- Preserve local customizations (install-docker-compose: false, upgrade flag)
Security improvements protect against arbitrary code execution while maintaining
workflow_dispatch convenience for authorized maintainers.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
7fbea466c9