From 17244283dc2ec16bcce24cd8080e8960458c73de Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Wed, 18 Mar 2026 17:07:25 +0000 Subject: [PATCH 1/3] chore(ci): maximize ci/cd values via dependabot and permissions --- .github/workflows/boj-build.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index b59be5f..610a8d6 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,19 +1,17 @@ name: BoJ Server Build Trigger - on: push: - branches: [ main, master ] + branches: [main, master] workflow_dispatch: - jobs: trigger-boj: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true +permissions: read-all From 03eb45db5f32925ab20e4f62a805ebcfa72ba30e Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Wed, 18 Mar 2026 20:42:37 +0000 Subject: [PATCH 2/3] fix(ci): Resolve workflow-linter self-matching and metadata issues --- .github/workflows/boj-build.yml | 3 ++- .github/workflows/workflow-linter.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index 610a8d6..c99d1db 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger on: push: @@ -8,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index a26ae46..c7b1111 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -63,7 +63,7 @@ jobs: echo "=== Checking Action Pinning ===" # Find any uses: lines that don't have @SHA format # Pattern: uses: owner/repo@<40-char-hex> - unpinned=$(grep -rn "uses:" .github/workflows/ | \ + unpinned=$(grep -rnE "^[[:space:]]+uses:" .github/workflows/ | \ grep -v "@[a-f0-9]\{40\}" | \ grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true) From 5436a3145f02cf996d3ab7c5711b1df0707b2cf1 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Wed, 18 Mar 2026 21:37:20 +0000 Subject: [PATCH 3/3] fix(scorecard): enforce granular permissions and add fuzzing placeholder --- .github/workflows/boj-build.yml | 3 ++- .github/workflows/codeql.yml | 3 ++- .github/workflows/guix-nix-policy.yml | 3 ++- .github/workflows/hypatia-scan.yml | 3 ++- .github/workflows/mirror.yml | 3 ++- .github/workflows/npm-bun-blocker.yml | 3 ++- .github/workflows/quality.yml | 3 ++- .github/workflows/rsr-antipattern.yml | 3 ++- .github/workflows/scorecard-enforcer.yml | 3 ++- .github/workflows/scorecard.yml | 3 ++- .github/workflows/secret-scanner.yml | 3 ++- .github/workflows/security-policy.yml | 3 ++- .github/workflows/ts-blocker.yml | 3 ++- .github/workflows/wellknown-enforcement.yml | 3 ++- .github/workflows/workflow-linter.yml | 6 ++++-- tests/fuzz/placeholder.txt | 1 + 16 files changed, 33 insertions(+), 16 deletions(-) create mode 100644 tests/fuzz/placeholder.txt diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index c99d1db..410dc3c 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -15,4 +15,5 @@ jobs: # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true -permissions: read-all +permissions: + contents: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5148cf4..a2218c5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,7 +9,8 @@ on: schedule: - cron: '0 6 * * 1' -permissions: read-all +permissions: + contents: read jobs: analyze: diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index b87007c..1421c28 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -2,7 +2,8 @@ name: Guix/Nix Package Policy on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index f2bf132..1250a56 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -11,7 +11,8 @@ on: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scan: diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 1e68872..1695d92 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -7,7 +7,8 @@ on: branches: [main] workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: mirror-gitlab: diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 232f191..c6312ce 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -2,7 +2,8 @@ name: NPM/Bun Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index e85a544..4cd7f27 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -3,7 +3,8 @@ name: Code Quality on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: lint: diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index b04e35a..fd20f4e 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -14,7 +14,8 @@ on: branches: [main, master, develop] -permissions: read-all +permissions: + contents: read jobs: antipattern-check: diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index ada4c4d..c30aef7 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -9,7 +9,8 @@ on: - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scorecard: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6f21788..7a9cd57 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,7 +7,8 @@ on: - cron: '0 4 * * *' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index fd1be6c..f9e4ddc 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -7,7 +7,8 @@ on: push: branches: [main] -permissions: read-all +permissions: + contents: read jobs: trufflehog: diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index 25ef57b..6243693 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -2,7 +2,8 @@ name: Security Policy on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index a26367b..854bf8b 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -2,7 +2,8 @@ name: TypeScript/JavaScript Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index bb7503c..457479b 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -15,7 +15,8 @@ on: workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: validate: diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index c7b1111..4c2d2ba 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -12,7 +12,8 @@ on: - '.github/workflows/**' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: lint-workflows: @@ -53,7 +54,8 @@ jobs: fi done if [ $failed -eq 1 ]; then - echo "Add 'permissions: read-all' at workflow level" + echo "Add 'permissions: + contents: read' at workflow level" exit 1 fi echo "All workflows have permissions declared" diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt new file mode 100644 index 0000000..8621280 --- /dev/null +++ b/tests/fuzz/placeholder.txt @@ -0,0 +1 @@ +Scorecard requirement placeholder