- build-publish-images: replace silent sudo chown failure (2>/dev/null || true)
with proper error handling and fallback cleanup for all 7 push jobs.
Root cause: container build jobs create root-owned files, non-container push
jobs on runner2 couldn't sudo chown without sudoers config.
- tests-misc: add disk cleanup step to cargo-check-all-crate-macos job to free
space before cargo check (remove Android SDK, old CLT SDKs, etc.)
- security-audit: truncate cargo-audit output to 500 lines before writing to
GITHUB_STEP_SUMMARY to avoid the 1MB size limit crash.
- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="")
that panics without GCP credentials on VPS runners
- prepare-bridges-zombienet-artifacts: fix bridges/testing path to
pezbridges/testing (rebrand path was not updated in workflow)
- build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc
output path (docs generated at /cache/target/doc, not ./target/doc)
- build-push-image-*: add workspace permission fix step before checkout
to handle root-owned files left by Docker container jobs
- All build jobs: increase timeout from 120 to 180 minutes for VPS
- Add cargo-deny + cargo-audit security audit workflow (weekly + on PR)
- Add deny.toml with license, advisory, and source checks
pezkuwichain