From 1d6cddce24eecd62bf3ff890ce6ea2cb1f775873 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:46:48 +0100 Subject: [PATCH 1/5] ci: redistribute canonical codeql.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/codeql.yml | 51 +++++++++--------------------------- 1 file changed, 12 insertions(+), 39 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ee15d90..9e32d15 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 name: CodeQL Security Analysis on: @@ -8,9 +8,11 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' -# Estate guardrail: cancel superseded runs so re-pushes don't pile up -# queued runs across the estate. Safe here because this workflow only -# performs read-only checks/lint/test/scan with no publish or mutation. + +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -19,38 +21,7 @@ permissions: contents: read jobs: - # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, - # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix - # made CodeQL exit with a "no source / configuration error" on every - # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. - # Detect the languages the repo ACTUALLY contains and only analyse the - # CodeQL-supported, buildless-safe ones; skip entirely when none apply. - detect: - runs-on: ubuntu-latest - outputs: - langs: ${{ steps.pick.outputs.langs }} - steps: - - name: Pick CodeQL languages from repo language stats - id: pick - env: - GH_TOKEN: ${{ github.token }} - run: | - stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") - out="" - add() { out="$out $1"; } - echo "$stats" | grep -qix 'Rust' && add rust - echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript - echo "$stats" | grep -qix 'Python' && add python - echo "$stats" | grep -qix 'Ruby' && add ruby - echo "$stats" | grep -qix 'Go' && add go - arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) - [ -z "$arr" ] && arr='[]' - echo "Detected CodeQL languages: $arr" - echo "langs=$arr" >> "$GITHUB_OUTPUT" - analyze: - needs: detect - if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -58,19 +29,21 @@ jobs: strategy: fail-fast: false matrix: - language: ${{ fromJSON(needs.detect.outputs.langs) }} + include: + - language: javascript-typescript + build-mode: none steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 + uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: languages: ${{ matrix.language }} - build-mode: none + build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 + uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: category: "/language:${{ matrix.language }}" From bf43d77cf004ec69dd5bb106c7c6874761e483c3 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:46:49 +0100 Subject: [PATCH 2/5] ci: redistribute canonical governance.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/governance.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 9897457..4bb50e9 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -1,16 +1,14 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -# governance.yml — single wrapper that calls the shared estate governance -# bundle in hyperpolymath/standards instead of carrying ~8 local copies. +# governance.yml — single wrapper calling the shared estate governance bundle +# in hyperpolymath/standards instead of carrying per-repo copies. # -# Replaces (deleted in verisimiser#59): +# Replaces the per-repo governance scaffolding removed in the same commit: # quality.yml, guix-nix-policy.yml, npm-bun-blocker.yml, ts-blocker.yml, # security-policy.yml, rsr-antipattern.yml, wellknown-enforcement.yml, # workflow-linter.yml # -# Load-bearing workflows stay standalone in this repo: -# rust-ci, codeql, dependabot-automerge, release -# (plus repo-specific gates dogfood-gate / static-analysis-gate and the -# mirror/pages/scan plumbing, which have side effects or no PR noise). +# Load-bearing build/security workflows stay standalone in the repo +# (rust-ci, codeql, dependabot, release, scan/mirror/pages plumbing). name: Governance From bf034939c630846ca568c66cfd4a330d02c45f96 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:46:51 +0100 Subject: [PATCH 3/5] ci: redistribute canonical scorecard-enforcer.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/scorecard-enforcer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index b16f0ee..04206c0 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -39,7 +39,7 @@ jobs: publish_results: true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4 with: sarif_file: results.sarif From f76510bbab3fa9a1fea062dbac110216a2840836 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:46:52 +0100 Subject: [PATCH 4/5] ci: redistribute canonical scorecard.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/scorecard.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c63bac5..29853b2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 name: OSSF Scorecard on: push: @@ -30,12 +30,12 @@ jobs: persist-credentials: false - name: Run Scorecard - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.3.1 with: results_file: results.sarif results_format: sarif - name: Upload results - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.31.8 + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8 with: sarif_file: results.sarif From ac74052305eb93cdf8a3d20ecf534b6428124069 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:46:54 +0100 Subject: [PATCH 5/5] ci: redistribute canonical secret-scanner.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/secret-scanner.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index a923a66..8801d53 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 # Prevention workflow - scans for hardcoded secrets before they reach main name: Secret Scanner @@ -22,19 +22,21 @@ jobs: trufflehog: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 # Full history for scanning - name: TruffleHog Secret Scan uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3 with: - extra_args: --only-verified --fail + # The v3 action injects --fail automatically on pull_request events. + # Passing --fail here triggers "flag 'fail' cannot be repeated". + extra_args: --only-verified gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: fetch-depth: 0 @@ -46,12 +48,15 @@ jobs: # Rust-specific: Check for hardcoded crypto values rust-secrets: runs-on: ubuntu-latest - if: hashFiles('**/Cargo.toml') != '' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Check for hardcoded secrets in Rust run: | + if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then + echo 'No Cargo.toml found — skipping Rust secrets check' + exit 0 + fi # Patterns that suggest hardcoded secrets PATTERNS=( 'const.*SECRET.*=.*"'