ci: redistribute concurrency-cancel guard to read-only check workflows (#29)

hyperpolymath · web-flow · commit 35fb302b0bcd · 2026-05-18T12:06:33.000+01:00
* ci: redistribute canonical codeql.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) * ci: redistribute canonical governance.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) * ci: redistribute canonical scorecard-enforcer.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) * ci: redistribute canonical scorecard.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) * ci: redistribute canonical secret-scanner.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122)
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,13 +1,13 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
-name: CodeQL
+# SPDX-License-Identifier: PMPL-1.0
+name: CodeQL Security Analysis
 
 on:
   push:
-    branches: [ main ]
+    branches: [main, master]
   pull_request:
-    branches: [ main ]
+    branches: [main, master]
   schedule:
-    - cron: '0 0 * * 1' # Weekly on Monday
+    - cron: '0 6 * * 1'
 
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
@@ -18,31 +18,32 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
-  security-events: write
 
 jobs:
   analyze:
-    name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'rust' ]
+        include:
+          - language: javascript-typescript
+            build-mode: none
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3
+        uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           languages: ${{ matrix.language }}
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3
+          build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3
+        uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
@@ -39,7 +39,7 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4
         with:
           sarif_file: results.sarif
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,12 +1,11 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
-name: OpenSSF Scorecard
-
+# SPDX-License-Identifier: PMPL-1.0
+name: OSSF Scorecard
 on:
-  branch_protection_rule:
-  schedule:
-    - cron: '0 0 * * 2' # Weekly on Tuesday
   push:
-    branches: [ main ]
+    branches: [main, master]
+  schedule:
+    - cron: '0 4 * * *'
+  workflow_dispatch:
 
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
@@ -21,25 +20,22 @@ permissions:
 
 jobs:
   analysis:
-    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
       security-events: write
       id-token: write
     steps:
-      - name: Checkout code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
-          publish_results: true
 
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0
+# SPDX-License-Identifier: PMPL-1.0
 # Prevention workflow - scans for hardcoded secrets before they reach main
 name: Secret Scanner
 
@@ -22,19 +22,21 @@ jobs:
   trufflehog:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0  # Full history for scanning
 
       - name: TruffleHog Secret Scan
-        uses: trufflesecurity/trufflehog@6961f2bace57ab32b23b3ba40f8f420f6bc7e004 # v3
+        uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3
         with:
-          extra_args: --only-verified --fail
+          # The v3 action injects --fail automatically on pull_request events.
+          # Passing --fail here triggers "flag 'fail' cannot be repeated".
+          extra_args: --only-verified
 
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0
 
@@ -47,10 +49,14 @@ jobs:
   rust-secrets:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - name: Check for hardcoded secrets in Rust
         run: |
+          if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then
+            echo 'No Cargo.toml found — skipping Rust secrets check'
+            exit 0
+          fi
           # Patterns that suggest hardcoded secrets
           PATTERNS=(
             'const.*SECRET.*=.*"'
