arch-tsdown

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The Release workflow in core-release.md delegates to and will execute remote GitHub Actions from https://github.com/sxzz/workflows (referenced as uses: sxzz/workflows/.github/workflows/release.yml@v1), which GitHub Actions fetches and runs at CI runtime and is required for the release job, so it is a runtime external dependency that executes remote code.