From 51a5afab82cbd5982efdf0bbbd3a5df75207812f Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 10:52:25 +0100
Subject: [PATCH 1/5] ci: redistribute canonical codeql.yml (concurrency-cancel
 guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/codeql.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2c3381f..9e32d15 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 name: CodeQL Security Analysis
 
 on:
@@ -35,15 +35,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           category: "/language:${{ matrix.language }}"

From 971eac13bf0804af0d1c9d3cda9d1e8afd4a0ead Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 10:52:27 +0100
Subject: [PATCH 2/5] ci: redistribute canonical governance.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)


From 9e57d1417277541198c060e9bf4a7fae8852be5e Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 10:52:28 +0100
Subject: [PATCH 3/5] ci: redistribute canonical scorecard-enforcer.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/scorecard-enforcer.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index 1638c58..04206c0 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -27,19 +27,19 @@ jobs:
       security-events: write
       id-token: write  # For OIDC
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Run Scorecard
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4
         with:
           sarif_file: results.sarif
 
@@ -62,7 +62,7 @@ jobs:
   check-critical:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check SECURITY.md exists
         run: |

From 739b005968c0e3d91bd2835a0af3e00eaf924254 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 10:52:30 +0100
Subject: [PATCH 4/5] ci: redistribute canonical scorecard.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/scorecard.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 019f868..29853b2 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 name: OSSF Scorecard
 on:
   push:
@@ -25,17 +25,17 @@ jobs:
       security-events: write
       id-token: write
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Run Scorecard
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.3.1
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
 
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.31.8
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8
         with:
           sarif_file: results.sarif

From f4fd6c068dd45b8dff824beb1e9347edb7a9f48c Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 10:52:31 +0100
Subject: [PATCH 5/5] ci: redistribute canonical secret-scanner.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/secret-scanner.yml | 277 +--------------------------
 1 file changed, 6 insertions(+), 271 deletions(-)

diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 92f59f6..8801d53 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -1,12 +1,11 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 # Prevention workflow - scans for hardcoded secrets before they reach main
 name: Secret Scanner
 
 on:
-  workflow_dispatch:
   pull_request:
   push:
-    branches: ['**']
+    branches: [main]
 
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
@@ -20,262 +19,39 @@ permissions:
   contents: read
 
 jobs:
-  hypatia-elixir-secrets:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Elixir for Hypatia ruleset
-        uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.18.2
-        with:
-          elixir-version: '1.19.4'
-          otp-version: '28.3'
-
-      - name: Clone Hypatia
-        run: git clone --depth 1 https://github.com/hyperpolymath/hypatia.git "$RUNNER_TEMP/hypatia"
-
-      - name: Run Hypatia Elixir secret ruleset
-        id: hypatia_ruleset
-        working-directory: ${{ runner.temp }}/hypatia
-        env:
-          SCAN_REPO: ${{ github.workspace }}
-          OUTPUT_FILE: ${{ github.workspace }}/hypatia-secret-findings.json
-        run: |
-          set -euo pipefail
-          mix deps.get --only prod
-
-          cat > "$RUNNER_TEMP/hypatia-secret-scan.exs" <<'ELIXIR'
-          repo = System.fetch_env!("SCAN_REPO")
-          output = System.fetch_env!("OUTPUT_FILE")
-
-          {stdout, status} = System.cmd("git", ["-C", repo, "ls-files"])
-          if status != 0, do: raise("git ls-files failed")
-
-          tracked_files = String.split(stdout, "\n", trim: true)
-
-          findings =
-            tracked_files
-            |> Enum.flat_map(fn rel_path ->
-              abs_path = Path.join(repo, rel_path)
-
-              case File.stat(abs_path) do
-                {:ok, %File.Stat{type: :regular, size: size}} when size <= 1_000_000 ->
-                  case File.read(abs_path) do
-                    {:ok, content} ->
-                      if String.contains?(content, <<0>>) do
-                        []
-                      else
-                        Hypatia.Rules.SecurityErrors.detect_secrets(content)
-                        |> Enum.map(fn label ->
-                          %{
-                            rule_module: "security_errors",
-                            severity: "critical",
-                            type: "secret_detected",
-                            file: rel_path,
-                            reason: "Secret found: #{label}",
-                            action: "revoke_rotate_and_purge",
-                            detected_at: DateTime.utc_now() |> DateTime.to_iso8601()
-                          }
-                        end)
-                      end
-
-                    _ ->
-                      []
-                  end
-
-                _ ->
-                  []
-              end
-            end)
-
-          File.write!(output, Jason.encode!(findings, pretty: true))
-          IO.puts("secret_findings=#{length(findings)}")
-          ELIXIR
-
-          SCAN_RESULT="$(mix run "$RUNNER_TEMP/hypatia-secret-scan.exs")"
-          echo "$SCAN_RESULT"
-          FINDINGS_COUNT="$(echo "$SCAN_RESULT" | awk -F= '/^secret_findings=/{print $2}' | tail -1)"
-          FINDINGS_COUNT="${FINDINGS_COUNT:-0}"
-          echo "findings_count=$FINDINGS_COUNT" >> "$GITHUB_OUTPUT"
-          echo "Hypatia Elixir secret findings: $FINDINGS_COUNT" >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Upload Hypatia secret findings
-        if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: hypatia-secret-findings
-          path: hypatia-secret-findings.json
-          retention-days: 30
-
-      - name: Dispatch secret alert to gitbot-fleet
-        if: steps.hypatia_ruleset.outputs.findings_count != '0'
-        env:
-          DISPATCH_TOKEN: ${{ secrets.FARM_DISPATCH_TOKEN }}
-          REPO: ${{ github.repository }}
-          REF: ${{ github.ref }}
-          SHA: ${{ github.sha }}
-          RUN_ID: ${{ github.run_id }}
-          FINDINGS_COUNT: ${{ steps.hypatia_ruleset.outputs.findings_count }}
-        run: |
-          set -euo pipefail
-          if [ -z "${DISPATCH_TOKEN:-}" ]; then
-            echo "::warning::FARM_DISPATCH_TOKEN is not configured; skipping gitbot-fleet dispatch."
-            exit 0
-          fi
-
-          cat > payload.json <<EOF
-          {
-            "event_type": "hypatia-secret-alert",
-            "client_payload": {
-              "source_repo": "${REPO}",
-              "ref": "${REF}",
-              "sha": "${SHA}",
-              "run_id": "${RUN_ID}",
-              "findings_count": "${FINDINGS_COUNT}",
-              "artifact": "hypatia-secret-findings"
-            }
-          }
-          EOF
-
-          curl -fsSL \
-            -X POST \
-            -H "Authorization: token ${DISPATCH_TOKEN}" \
-            -H "Accept: application/vnd.github+json" \
-            https://api.github.com/repos/hyperpolymath/gitbot-fleet/dispatches \
-            -d @payload.json
-
-          echo "Dispatched hypatia-secret-alert to gitbot-fleet." >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Block on secret findings
-        if: steps.hypatia_ruleset.outputs.findings_count != '0'
-        run: |
-          echo "::error::Hypatia Elixir ruleset detected ${{ steps.hypatia_ruleset.outputs.findings_count }} secret finding(s)."
-          echo "::error::Secrets must be revoked/rotated and removed before merge."
-          exit 1
-
   trufflehog:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0  # Full history for scanning
 
       - name: TruffleHog Secret Scan
-        id: trufflehog_scan
-        continue-on-error: true
-        uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3
+        uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3
         with:
           # The v3 action injects --fail automatically on pull_request events.
           # Passing --fail here triggers "flag 'fail' cannot be repeated".
           extra_args: --only-verified
 
-      - name: Immediate dispatch (TruffleHog finding)
-        if: steps.trufflehog_scan.outcome == 'failure'
-        env:
-          DISPATCH_TOKEN: ${{ secrets.FARM_DISPATCH_TOKEN }}
-          REPO: ${{ github.repository }}
-          REF: ${{ github.ref }}
-          SHA: ${{ github.sha }}
-          RUN_ID: ${{ github.run_id }}
-        run: |
-          set -euo pipefail
-          if [ -z "${DISPATCH_TOKEN:-}" ]; then
-            echo "::warning::FARM_DISPATCH_TOKEN not configured; skipping gitbot-fleet dispatch."
-            exit 0
-          fi
-
-          cat > payload.json <<EOF
-          {
-            "event_type": "secret-scanner-alert",
-            "client_payload": {
-              "scanner": "trufflehog",
-              "source_repo": "${REPO}",
-              "ref": "${REF}",
-              "sha": "${SHA}",
-              "run_id": "${RUN_ID}"
-            }
-          }
-          EOF
-
-          curl -fsSL \
-            -X POST \
-            -H "Authorization: token ${DISPATCH_TOKEN}" \
-            -H "Accept: application/vnd.github+json" \
-            https://api.github.com/repos/hyperpolymath/gitbot-fleet/dispatches \
-            -d @payload.json
-
-      - name: Fail on TruffleHog finding
-        if: steps.trufflehog_scan.outcome == 'failure'
-        run: |
-          echo "::error::TruffleHog detected verified secret(s)."
-          exit 1
-
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0
 
       - name: Gitleaks Secret Scan
-        id: gitleaks_scan
-        continue-on-error: true
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Immediate dispatch (Gitleaks finding)
-        if: steps.gitleaks_scan.outcome == 'failure'
-        env:
-          DISPATCH_TOKEN: ${{ secrets.FARM_DISPATCH_TOKEN }}
-          REPO: ${{ github.repository }}
-          REF: ${{ github.ref }}
-          SHA: ${{ github.sha }}
-          RUN_ID: ${{ github.run_id }}
-        run: |
-          set -euo pipefail
-          if [ -z "${DISPATCH_TOKEN:-}" ]; then
-            echo "::warning::FARM_DISPATCH_TOKEN not configured; skipping gitbot-fleet dispatch."
-            exit 0
-          fi
-
-          cat > payload.json <<EOF
-          {
-            "event_type": "secret-scanner-alert",
-            "client_payload": {
-              "scanner": "gitleaks",
-              "source_repo": "${REPO}",
-              "ref": "${REF}",
-              "sha": "${SHA}",
-              "run_id": "${RUN_ID}"
-            }
-          }
-          EOF
-
-          curl -fsSL \
-            -X POST \
-            -H "Authorization: token ${DISPATCH_TOKEN}" \
-            -H "Accept: application/vnd.github+json" \
-            https://api.github.com/repos/hyperpolymath/gitbot-fleet/dispatches \
-            -d @payload.json
-
-      - name: Fail on Gitleaks finding
-        if: steps.gitleaks_scan.outcome == 'failure'
-        run: |
-          echo "::error::Gitleaks detected secret(s)."
-          exit 1
-
   # Rust-specific: Check for hardcoded crypto values
   rust-secrets:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - name: Check for hardcoded secrets in Rust
-        id: rust_secret_check
-        continue-on-error: true
         run: |
           if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then
             echo 'No Cargo.toml found — skipping Rust secrets check'
@@ -303,44 +79,3 @@ jobs:
             echo "::error::Potential hardcoded secrets detected. Use environment variables instead."
             exit 1
           fi
-
-      - name: Immediate dispatch (Rust secret finding)
-        if: steps.rust_secret_check.outcome == 'failure'
-        env:
-          DISPATCH_TOKEN: ${{ secrets.FARM_DISPATCH_TOKEN }}
-          REPO: ${{ github.repository }}
-          REF: ${{ github.ref }}
-          SHA: ${{ github.sha }}
-          RUN_ID: ${{ github.run_id }}
-        run: |
-          set -euo pipefail
-          if [ -z "${DISPATCH_TOKEN:-}" ]; then
-            echo "::warning::FARM_DISPATCH_TOKEN not configured; skipping gitbot-fleet dispatch."
-            exit 0
-          fi
-
-          cat > payload.json <<EOF
-          {
-            "event_type": "secret-scanner-alert",
-            "client_payload": {
-              "scanner": "rust-secrets",
-              "source_repo": "${REPO}",
-              "ref": "${REF}",
-              "sha": "${SHA}",
-              "run_id": "${RUN_ID}"
-            }
-          }
-          EOF
-
-          curl -fsSL \
-            -X POST \
-            -H "Authorization: token ${DISPATCH_TOKEN}" \
-            -H "Accept: application/vnd.github+json" \
-            https://api.github.com/repos/hyperpolymath/gitbot-fleet/dispatches \
-            -d @payload.json
-
-      - name: Fail on Rust secret finding
-        if: steps.rust_secret_check.outcome == 'failure'
-        run: |
-          echo "::error::Rust hardcoded-secret check failed."
-          exit 1