ci: redistribute canonical scorecard-enforcer.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

Author: hyperpolymath

.github/workflows/scorecard-enforcer.yml

@@ -18,17 +18,14 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  security-events: write
-  id-token: write
   contents: read
 
 jobs:
   scorecard:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      id-token: write
-      contents: read
+      id-token: write  # For OIDC
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -42,7 +39,7 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4
         with:
           sarif_file: results.sarif
 
@@ -64,8 +61,6 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -78,8 +73,8 @@ jobs:
 
       - name: Check for pinned dependencies
         run: |
-          # Check workflows for unpinned actions - using anchored regex to avoid self-match
-          unpinned=$(grep -rE "^[[:space:]]+uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
+          # Check workflows for unpinned actions
+          unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
           if [ -n "$unpinned" ]; then
             echo "::warning::Found unpinned actions:"
             echo "$unpinned"