From 65b08e025edebae9d7b2579571635e44fdd32a10 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 11:59:02 +0100 Subject: [PATCH 1/5] ci: redistribute canonical codeql.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/codeql.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a786f9c..9e32d15 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 name: CodeQL Security Analysis on: @@ -30,21 +30,20 @@ jobs: fail-fast: false matrix: include: - # Idris2 is not supported by CodeQL, so we scan workflow files only - - language: actions + - language: javascript-typescript build-mode: none steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.28.1 + uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.28.1 + uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: category: "/language:${{ matrix.language }}" From 29d4f643509c9ca99526e8721bb853f9139bc9b1 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 11:59:03 +0100 Subject: [PATCH 2/5] ci: redistribute canonical governance.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) From 7cac1b686d184a764b99f086f512ea537340c1a1 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 11:59:04 +0100 Subject: [PATCH 3/5] ci: redistribute canonical scorecard-enforcer.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/scorecard-enforcer.yml | 25 +++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index caae499..04206c0 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -27,27 +27,42 @@ jobs: security-events: write id-token: write # For OIDC steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run Scorecard - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3 + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4 with: sarif_file: results.sarif - # Check specific high-priority items (separate job, allowed to have run: steps) + - name: Check minimum score + run: | + # Parse score from results + SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0") + + echo "OpenSSF Scorecard Score: $SCORE" + + # Minimum acceptable score (0-10 scale) + MIN_SCORE=5 + + if [ "$(echo "$SCORE < $MIN_SCORE" | bc -l)" = "1" ]; then + echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE" + exit 1 + fi + + # Check specific high-priority items check-critical: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check SECURITY.md exists run: | From 1d169eea73a69792fc7ede4a06b5d30bcb88c8c8 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 11:59:05 +0100 Subject: [PATCH 4/5] ci: redistribute canonical scorecard.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/scorecard.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 81a3a4c..29853b2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 name: OSSF Scorecard on: push: @@ -25,7 +25,7 @@ jobs: security-events: write id-token: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -36,6 +36,6 @@ jobs: results_format: sarif - name: Upload results - uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.31.8 + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8 with: sarif_file: results.sarif From 283a236011a7f1728442a96942bf736aca7c2af7 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 11:59:07 +0100 Subject: [PATCH 5/5] ci: redistribute canonical secret-scanner.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/secret-scanner.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 4de0e24..8801d53 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 # Prevention workflow - scans for hardcoded secrets before they reach main name: Secret Scanner @@ -22,12 +22,12 @@ jobs: trufflehog: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 # Full history for scanning - name: TruffleHog Secret Scan - uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3 + uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3 with: # The v3 action injects --fail automatically on pull_request events. # Passing --fail here triggers "flag 'fail' cannot be repeated". @@ -36,7 +36,7 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 @@ -49,7 +49,7 @@ jobs: rust-secrets: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Check for hardcoded secrets in Rust run: |