feat: Shorten workflow job names, add required checks, optimize runners, and restrict permissions

[Copilot]

Workflow job names were too verbose, making the workflow status difficult to scan. This PR shortens the job names across multiple workflows, adds a required checks aggregation job to fix status check issues, optimizes runner usage for better cost efficiency, and restricts GITHUB_TOKEN permissions for enhanced security.

Changes

CI workflow:

• Code quality - unit-tests (${{ matrix.gap-branch }}) → Code - units (${{ matrix.gap-branch }})
• Code quality - gaplint → Code - lint
• Added Required checks - pull-request job that aggregates the status of all CI jobs
• Added explicit permissions to all CI jobs to restrict GITHUB_TOKEN (addresses issue [Bug]: Limit CI jobs permissions #231):
  • gaptest and gaplint: contents: read (minimal read-only access)
  • required: empty permissions {} (no GitHub API access needed)

Labels workflow:

• Labels - auto-create → Labels - auto

Release workflows:

• Release the GAP package → Release
• Release draft - update release notes → Release - draft

Runner optimization:

• Changed all 9 runners from ubuntu-latest/ubuntu-22.04 to ubuntu-slim for jobs that run under 15 minutes (addresses issue [Feature Request]: Add ubuntu-slim support #229)

All changes in .github/workflows/*.yml files.

The new required checks job depends on both gaptest and gaplint jobs and will fail if any dependency fails. Configure "Required checks - pull-request" as a required status check in branch protection rules to ensure all CI jobs pass before merging.

The explicit permissions follow security best practices by limiting GITHUB_TOKEN access using the principle of least privilege, preventing potential security vulnerabilities from overly permissive defaults.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Bug]: Rename Code quality</issue_title>
<issue_description>### What happened?

Rename Code quality jobs.

• unit-tests is too long.
• Code-quality is too long too.

Keep it shorter but still readable.

Version

0.5.0 (Default)

What browsers are you seeing the problem on?

No response

Relevant log output

Code of Conduct

• I agree to follow this project's Code of Conduct</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Bug]: Rename Code quality #227

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR shortens verbose CI job names in the GitHub Actions workflow to improve readability and make the workflow status easier to scan at a glance.

Changes:

• Renamed Code quality - unit-tests to Code - units
• Renamed Code quality - gaplint to Code - lint

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[limakzi]

@copilot
Now expected status failed, because required jobs were not executed.
Here you have a sample from @mitchellh from https://github.com/ghostty-org/ghostty project.
Align it to smallantimagmas.

1. Add required job.
2. Name it Required checks - pull-request
3. Assume everything is required.

jobs:
  required:
    name: "Required Checks: Test"
    runs-on: namespace-profile-ghostty-xsm
    needs:
      - build-bench
      - build-dist
      - build-examples
      - build-flatpak
      - build-libghostty-vt
      - build-linux
      - build-linux-libghostty
      - build-nix
      - build-macos
      - build-macos-freetype
      - build-snap
      - build-windows
      - test
      - test-simd
      - test-gtk
      - test-sentry-linux
      - test-i18n
      - test-macos
      - pinact
      - prettier
      - alejandra
      - typos
      - shellcheck
      - translations
      - blueprint-compiler
      - test-pkg-linux
      - test-debian-13
      - valgrind
      - zig-fmt

    steps:
      - id: status
        name: Determine status
        run: |
          results=$(tr -d '\n' <<< '${{ toJSON(needs.*.result) }}')
          if ! grep -q -v -E '(failure|cancelled)' <<< "$results"; then
            result="failed"
          else
            result="success"
          fi
          {
            echo "result=${result}"
            echo "results=${results}"
          } | tee -a "$GITHUB_OUTPUT"
      - if: always() && steps.status.outputs.result != 'success'
        name: Check for failed status
        run: |
          echo "One or more required build workflows failed: ${{ steps.status.outputs.results }}"
          exit 1

[Copilot]

@copilot
Now expected status failed, because required jobs were not executed.
Here you have a sample from @mitchellh from https://github.com/ghostty-org/ghostty project.
...

Added the "Required checks - pull-request" job in commit 1ab0052. This job aggregates the status of both gaptest and gaplint jobs. Configure this single job name in your branch protection rules to ensure all checks pass before merging.

[limakzi]

@copilot Try to simplify Release and Labels.

[Copilot]

@copilot Try to simplify Release and Labels.

Simplified job names in Release and Labels workflows in commit c143d83:

• "Labels - auto-create" → "Labels - auto"
• "Release the GAP package" → "Release"
• "Release draft - update release notes" → "Release - draft"

[limakzi]

@copilot Cover this issue as well.

#229

[Copilot]

@copilot Cover this issue as well.

#229

Addressed issue #229 in commit 4ecac07. Changed all 9 runners across all workflows from ubuntu-latest/ubuntu-22.04 to ubuntu-slim for jobs that run under 15 minutes.

[limakzi]

@copilot Cover this issue #231 as well.

[Copilot]

@copilot Cover this issue #231 as well.

Addressed issue #231 in commit 3204d94. Added explicit permissions to all CI jobs:

• gaptest and gaplint: contents: read
• required: empty permissions {}

This restricts the GITHUB_TOKEN permissions following security best practices.