* Remove `tv` client from logged-out defaults due to #15583
* Remove all HTML5 clients from "JS-less" defaults due to #15569
* Prioritize `web` over `web_safari` until we request latter's config
* Bump all player client versions
* Do not warn for expected SABR-only responses (`web`/`web_safari`)
* Improve PO Token binding experiment debug output
Authored by: bashonly
* Solve n challenges in HLS/DASH manifest URL path parameters
* Collect all challenges in advance to solve in bulk once per video
* Improve & always use the load/store helper methods for player cache
Closes#15569, Closes#15586, Closes#15587, Closes#15600
Authored by: bashonly
* NOTE: the release workflows' new handling of secrets
may be a breaking change for forks that are using any secrets
other than GPG_SIGNING_KEY or ARCHIVE_REPO_TOKEN.
Previously, the release workflow would try to resolve a token
secret name based on the `target` or `source` input,
e.g. NIGHTLY_ARCHIVE_REPO_TOKEN or CUSTOM_ARCHIVE_REPO_TOKEN,
and then fall back to using the ARCHIVE_REPO_TOKEN secret if the
resolved token secret name was not found in the repository.
This behavior has been replaced by the release workflow
always using the ARCHIVE_REPO_TOKEN secret as the token
for publishing releases to any external archive repository.
* Add zizmor CI job for auditing workflows
* Pin all actions to commit hashes instead of symbolic references
* Explicitly set GITHUB_TOKEN permissions at the job level
* Use actions/checkout with `persist-credentials: false` whenever possible
* Remove/replace template expansions in workflow scripts
* Remove all usage of actions/cache from build/release workflows
* Remove the cache-warmer.yml workflow
* Remove the unused download.yml workflow
* Set concurrency limits for any workflows that are triggered by PRs
* Avoid loading the entire secrets context
* Replace usage of `secrets: inherit` with explicit `secrets:` blocks
* Pin all external docker images to hash that are used by the build workflow
* Explicitly set `shell: bash` for some steps to avoid pwsh or set pipefail
* Ensure any pwsh steps will fail on non-zero exit codes
Authored by: bashonly
* Support newly rolled out comment "subthreads"
* Fix comments extraction: all replies were being missed
* Add a `max-depth` element to the `max_comments` extractor-arg
* Fully remove the deprecated `max_comment_depth` extractor-arg
Closes#15303
Authored by: bashonly
