Review SCM files and security updates #9

hyperpolymath · 2025-12-17T20:10:58Z

Security improvements:

SCM file fixes:

Actions pinned to SHA:

actions/checkout@34e1148 (v4.3.1)
dtolnay/rust-toolchain@f7ccc83
Swatinem/rust-cache@779680d (v2.8.2)
codecov/codecov-action@b9fd7d1 (v4.6.0)
github/codeql-action@45c3735 (v3.31.9)
ossf/scorecard-action@4eaacf0 (v2.4.3)
trufflesecurity/trufflehog@05cccb5 (v3.92.3)
editorconfig-checker@4b6cd6190d435e7e084fb35e36a096e98506f7b9 (v2.1.0)
webfactory/ssh-agent@a6f90b1 (v0.9.1)
actions/configure-pages@983d773 (v5.0.0)
actions/jekyll-build-pages@44a6e6b (v1.0.13)
actions/upload-pages-artifact@56afc60 (v3.0.1)
actions/deploy-pages@d6db901 (v4.0.5)

@main

Security improvements: - Pin all GitHub Actions to full SHA commits (RSR compliance) - Fix CodeQL workflow to target main/master instead of stale branch - Update trufflehog from @main to pinned SHA (critical fix) - Update editorconfig-checker from @main to pinned SHA SCM file fixes: - guix.scm: Fix dual license (MIT OR AGPL-3.0-or-later), sync v1.0.0 - ECOSYSTEM.scm: Replace placeholder text with actual content - STATE.scm: Update version to 1.0.0, add component breakdown - META.scm: Add ADRs for crypto and formal verification Actions pinned to SHA: - actions/checkout@34e1148 (v4.3.1) - dtolnay/rust-toolchain@f7ccc83 - Swatinem/rust-cache@779680d (v2.8.2) - codecov/codecov-action@b9fd7d1 (v4.6.0) - github/codeql-action@45c3735 (v3.31.9) - ossf/scorecard-action@4eaacf0 (v2.4.3) - trufflesecurity/trufflehog@05cccb5 (v3.92.3) - editorconfig-checker@4b6cd6190d435e7e084fb35e36a096e98506f7b9 (v2.1.0) - webfactory/ssh-agent@a6f90b1 (v0.9.1) - actions/configure-pages@983d773 (v5.0.0) - actions/jekyll-build-pages@44a6e6b (v1.0.13) - actions/upload-pages-artifact@56afc60 (v3.0.1) - actions/deploy-pages@d6db901 (v4.0.5)

hyperpolymath merged commit f0f93cc into main Dec 17, 2025
17 of 19 checks passed

hyperpolymath deleted the claude/review-scm-security-RwRBe branch December 17, 2025 20:25

Provide feedback