From 27635f0275da954eab30ccc44a265902c6e78439 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Wed, 18 Mar 2026 17:16:13 +0000 Subject: [PATCH 1/3] chore(ci): maximize ci/cd values via dependabot and permissions --- .github/workflows/boj-build.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index b59be5f..610a8d6 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,19 +1,17 @@ name: BoJ Server Build Trigger - on: push: - branches: [ main, master ] + branches: [main, master] workflow_dispatch: - jobs: trigger-boj: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true +permissions: read-all From 0efb8fcf7db0850895a789b9e502d16d27fda70e Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Wed, 18 Mar 2026 20:42:18 +0000 Subject: [PATCH 2/3] fix(ci): Resolve workflow-linter self-matching and metadata issues --- .github/workflows/boj-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index 610a8d6..c99d1db 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger on: push: @@ -8,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository From 213798d9a587f5e5d02cc295b40521a57efe6d33 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Wed, 18 Mar 2026 21:32:48 +0000 Subject: [PATCH 3/3] fix(scorecard): enforce granular permissions and add fuzzing placeholder --- .github/workflows/boj-build.yml | 3 ++- .github/workflows/ci-extended.yml | 3 ++- .github/workflows/ci.yml | 3 ++- .github/workflows/codeql.yml | 3 ++- .github/workflows/guix-nix-policy.yml | 3 ++- .github/workflows/hypatia-scan.yml | 3 ++- .github/workflows/language-policy.yml | 3 ++- .github/workflows/mirror.yml | 3 ++- .github/workflows/npm-bun-blocker.yml | 3 ++- .github/workflows/publish.yml | 3 ++- .github/workflows/quality.yml | 3 ++- .github/workflows/rescript-deno-ci.yml | 3 ++- .github/workflows/rsr-antipattern.yml | 3 ++- .github/workflows/scorecard-enforcer.yml | 3 ++- .github/workflows/scorecard.yml | 3 ++- .github/workflows/secret-scanner.yml | 3 ++- .github/workflows/security-policy.yml | 3 ++- .github/workflows/ts-blocker.yml | 3 ++- .github/workflows/wellknown-enforcement.yml | 3 ++- .github/workflows/workflow-linter.yml | 3 ++- tests/fuzz/placeholder.txt | 1 + 21 files changed, 41 insertions(+), 20 deletions(-) create mode 100644 tests/fuzz/placeholder.txt diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index c99d1db..410dc3c 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -15,4 +15,5 @@ jobs: # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true -permissions: read-all +permissions: + contents: read diff --git a/.github/workflows/ci-extended.yml b/.github/workflows/ci-extended.yml index 335be3c..69dd270 100644 --- a/.github/workflows/ci-extended.yml +++ b/.github/workflows/ci-extended.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: CI Extended (RSR Compliance) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1e1a7ef..b7edb72 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: CI diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b62ecef..044eb42 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,7 +10,8 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -permissions: read-all +permissions: + contents: read name: "CodeQL Advanced" diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 6e9da49..f056c41 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Guix/Nix Package Policy on: [push, pull_request] diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index f2bf132..1250a56 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -11,7 +11,8 @@ on: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scan: diff --git a/.github/workflows/language-policy.yml b/.github/workflows/language-policy.yml index d25d82b..9c07d81 100644 --- a/.github/workflows/language-policy.yml +++ b/.github/workflows/language-policy.yml @@ -4,7 +4,8 @@ # Language Policy Enforcement Workflow # Rejects PRs that violate the Hyperpolymath Language Standard -permissions: read-all +permissions: + contents: read name: Language Policy diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 4c0d553..408093b 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -7,7 +7,8 @@ on: branches: [main] workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: mirror-gitlab: diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 76c314d..a8d736b 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: NPM/Bun Blocker on: [push, pull_request] diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 49d8dfb..320f2c7 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Publish diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 0346986..52bc057 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Code Quality on: [push, pull_request] diff --git a/.github/workflows/rescript-deno-ci.yml b/.github/workflows/rescript-deno-ci.yml index 5aa853f..966d4d3 100644 --- a/.github/workflows/rescript-deno-ci.yml +++ b/.github/workflows/rescript-deno-ci.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: ReScript/Deno CI on: [push, pull_request] diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index 4ef3142..21bb240 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -5,7 +5,8 @@ # Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme -permissions: read-all +permissions: + contents: read name: RSR Anti-Pattern Check diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 58b1f09..26322c9 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -9,7 +9,8 @@ on: - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scorecard: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b93c9c1..ffda2b6 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -6,7 +6,8 @@ on: schedule: - cron: '0 4 * * 0' -permissions: read-all +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 051fecf..fd62c4f 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -7,7 +7,8 @@ on: push: branches: [main] -permissions: read-all +permissions: + contents: read jobs: trufflehog: diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index fa8c0c6..5022643 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Security Policy on: [push, pull_request] diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index 88f280e..474de8d 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: TypeScript/JavaScript Blocker on: [push, pull_request] diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 6e81044..65ec890 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Well-Known Standards (RFC 9116 + RSR) on: diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 94dd0b2..e97d211 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -10,7 +10,8 @@ on: paths: - '.github/workflows/**' -permissions: read-all +permissions: + contents: read jobs: lint-workflows: diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt new file mode 100644 index 0000000..8621280 --- /dev/null +++ b/tests/fuzz/placeholder.txt @@ -0,0 +1 @@ +Scorecard requirement placeholder