fix(ci): isolate coreutils drift external execution

[chaliy]

What

Split the coreutils drift workflow so uutils checkout/build/differential execution runs only in a read-only job without persisted checkout credentials.

Why

The previous drift path executed third-party Rust build scripts and the generated uutils binary inside a job with repository and PR write scopes. That let a compromised upstream or dependency abuse privileged CI credentials.

How

• Keep the regenerate/build/test job at contents: read with persist-credentials: false on both checkouts.
• Resolve upstream HEAD to a concrete commit before codegen/build.
• Pass drift to the write-scoped PR job as a bounded git patch and reject staged paths outside crates/bashkit/src/builtins/generated/.
• Replace the third-party PR action in the write-scoped job with gh.
• Add workflow security regression tests and update the coreutils args port spec.

Risk

• Low / Medium / High: Medium
• What can break: the scheduled drift PR automation could fail if the new patch handoff or gh PR update path behaves differently from the previous action.

Checklist

• Tests added or updated
• Backward compatibility considered

Verified:

• Reproduced with failing cargo test -p bashkit --test workflow_security_tests before the workflow split.
• cargo test -p bashkit --test workflow_security_tests
• cargo fmt --check
• cargo clippy --all-targets -- -D warnings
• cargo test
• cargo vet
• YAML parse for .github/workflows/coreutils-args-drift.yml

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	72ea87e	Commit Preview URL	May 08 2026, 08:14 PM