fix(ci): align workflows with the default branch

[jaypatrick]

Description

Changes

Testing

• Unit tests added/updated
• Manual testing performed
• CI passes

Zero Trust Architecture Checklist

Required for every PR touching worker/ or frontend/.
Check each item that applies. If an item doesn't apply, check it and note "N/A".

Worker / Backend

• Every handler verifies auth before executing business logic
• CORS origin allowlist enforced (not *) on write/authenticated endpoints
• All secrets accessed via Worker Secret bindings (not [vars])
• All external inputs Zod-validated before use
• All D1 queries use parameterized .prepare().bind() (no string interpolation)
• Security events emitted to Analytics Engine on auth failures

Frontend / Angular

• Protected routes have functional CanActivateFn auth guards
• Auth tokens managed via Clerk SDK (not localStorage)
• HTTP interceptor attaches Bearer token (no manual token passing)
• API responses validated with Zod schemas before consumption

API Shield / Vulnerability Scanner

Required for every PR touching docs/api/openapi.yaml, worker/routes/, or resource endpoint handlers.

• New/changed endpoints have a unique operationId in openapi.yaml
• Resource endpoints (those with /{id} path parameters) include a security: annotation
• Resource queries are scoped to the authenticated user (WHERE user_id = ?) — not just by ID
• Missing/unauthorized resources return 404 (not 403) to avoid leaking resource existence
• cloudflare-schema.yaml regenerated if openapi.yaml changed (deno task schema:cloudflare)

---

If this PR does not touch worker/ or frontend/, the ZTA checklist is not required.
If this PR does not touch openapi.yaml or resource handlers, the API Shield checklist is not required.

[Copilot]

Pull request overview

Updates GitHub Actions workflows to be compatible with repositories whose default branch may be main or master, and standardizes several workflow files’ YAML formatting.

Changes:

• Expand workflow triggers from main-only to master/main in multiple workflows.
• Replace hard-coded refs/heads/main checks with github.event.repository.default_branch comparisons where supported.
• Reformat/normalize YAML quoting and indentation across workflows.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/zta-lint.yml	Updates push branch filter to include master and normalizes quoting.
.github/workflows/sentry-worker.yml	Updates push branch filter to include master and normalizes quoting.
.github/workflows/sentry-frontend.yml	Updates push branch filter to include master and reindents/normalizes YAML.
.github/workflows/mdbook.yml	Updates push branch filter to include master and normalizes quoting.
.github/workflows/lighthouse.yml	Updates workflow_run branch filter to include master and normalizes YAML.
.github/workflows/frontend-version-bump.yml	Updates trigger branches to include master and reindents/normalizes YAML.
.github/workflows/db-migrate.yml	Updates triggers to include master, uses default-branch ref checks for apply jobs, and normalizes YAML.
.github/workflows/claude.yml	Updates push branch filter to include master and normalizes quoting.
.github/workflows/ci.yml	Updates triggers to include master, switches deploy/publish gating to default-branch refs, and normalizes YAML.
.github/workflows/bench.yml	Updates trigger branches to include master and normalizes quoting.
.github/workflows/api-shield-scan.yml	Updates triggers to include master and normalizes YAML.
.github/actions/deploy-worker/action.yml	Tweaks deploy action warning messaging related to container push permissions.

[jaypatrick]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all four changes from the review thread in commit 9418f4b:

• frontend-version-bump.yml: Added DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} to the step env, replaced --base main with --base "$DEFAULT_BRANCH", and updated the echo log messages accordingly.
• db-migrate.yml (line ~226): Added const defaultBranch = context.payload.repository?.default_branch || 'default branch' and used it in the PR comment body instead of the hard-coded `main`.
• db-migrate.yml (line ~297): Updated the section header comment from # Apply D1 migrations (main push only) to # Apply D1 migrations (default-branch push only).
• ci.yml (line ~674): Restored cloudflare-containers-token: ${{ secrets.CLOUDFLARE_CONTAINERS_TOKEN }} to the deploy-worker action call.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

[jaypatrick]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all five changes from the review thread in commit b7e96c5:

• mdbook.yml: Changed --branch=main → --branch="${{ github.ref_name }}" so Cloudflare Pages always receives the actual triggering branch name.
• db-migrate.yml concurrency comment: "On main we never want…" → "On the default branch we never want…"
• ci.yml verify-deploy comment: "skipped on push to main" → "skipped on pushes to the repository default branch"
• frontend-version-bump.yml lines 217–218: "version bump commit reaches main" → "reaches the default branch"
• frontend-version-bump.yml lines 234–235: "--merge" comment updated from "stays in main history / find the tag from main" → "default branch history / find the tag from the default branch"