From d06fc33c5dc2fb5cc599e5b766d3d983083e7b72 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 18 Mar 2026 17:07:58 +0000
Subject: [PATCH 1/3] chore(ci): maximize ci/cd values via dependabot and
 permissions

---
 .github/workflows/boj-build.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
index b59be5f..610a8d6 100644
--- a/.github/workflows/boj-build.yml
+++ b/.github/workflows/boj-build.yml
@@ -1,19 +1,17 @@
 name: BoJ Server Build Trigger
-
 on:
   push:
-    branches: [ main, master ]
+    branches: [main, master]
   workflow_dispatch:
-
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
       - name: Trigger BoJ Server (Casket/ssg-mcp)
         run: |
           # Send a secure trigger to boj-server to build this repository
           curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke"             -H "Content-Type: application/json"             -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"}
         continue-on-error: true
+permissions: read-all

From 246d0182e21c6810e064d65737f1ac763b8ea387 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 18 Mar 2026 20:42:11 +0000
Subject: [PATCH 2/3] fix(ci): Resolve workflow-linter self-matching and
 metadata issues

---
 .github/workflows/boj-build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
index 610a8d6..c99d1db 100644
--- a/.github/workflows/boj-build.yml
+++ b/.github/workflows/boj-build.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: BoJ Server Build Trigger
 on:
   push:
@@ -8,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Trigger BoJ Server (Casket/ssg-mcp)
         run: |
           # Send a secure trigger to boj-server to build this repository

From 9b7c176fcab06801736b66c1a1e2cd0595f7de0e Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 18 Mar 2026 21:31:24 +0000
Subject: [PATCH 3/3] fix(scorecard): enforce granular permissions and add
 fuzzing placeholder

---
 .github/workflows/boj-build.yml             | 3 ++-
 .github/workflows/codeql.yml                | 3 ++-
 .github/workflows/guix-nix-policy.yml       | 3 ++-
 .github/workflows/hypatia-scan.yml          | 3 ++-
 .github/workflows/mirror.yml                | 3 ++-
 .github/workflows/npm-bun-blocker.yml       | 3 ++-
 .github/workflows/quality.yml               | 3 ++-
 .github/workflows/rsr-antipattern.yml       | 3 ++-
 .github/workflows/scorecard-enforcer.yml    | 3 ++-
 .github/workflows/scorecard.yml             | 3 ++-
 .github/workflows/secret-scanner.yml        | 3 ++-
 .github/workflows/security-policy.yml       | 3 ++-
 .github/workflows/ts-blocker.yml            | 3 ++-
 .github/workflows/wellknown-enforcement.yml | 3 ++-
 .github/workflows/workflow-linter.yml       | 3 ++-
 tests/fuzz/placeholder.txt                  | 1 +
 16 files changed, 31 insertions(+), 15 deletions(-)
 create mode 100644 tests/fuzz/placeholder.txt

diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
index c99d1db..410dc3c 100644
--- a/.github/workflows/boj-build.yml
+++ b/.github/workflows/boj-build.yml
@@ -15,4 +15,5 @@ jobs:
           # Send a secure trigger to boj-server to build this repository
           curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke"             -H "Content-Type: application/json"             -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"}
         continue-on-error: true
-permissions: read-all
+permissions:
+  contents: read
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 612bbd1..830b0ad 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -10,7 +10,8 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-permissions: read-all
+permissions:
+  contents: read
 
 name: "CodeQL Advanced"
 
diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml
index 94417d1..bffa3ff 100644
--- a/.github/workflows/guix-nix-policy.yml
+++ b/.github/workflows/guix-nix-policy.yml
@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
-permissions: read-all
+permissions:
+  contents: read
 
 name: Guix/Nix Package Policy
 on: [push, pull_request]
diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index f2bf132..1250a56 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -11,7 +11,8 @@ on:
     - cron: '0 0 * * 0'  # Weekly on Sunday
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   scan:
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index de9dd92..bfef51f 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -8,7 +8,8 @@ on:
       - 'v*'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   mirror-gitlab:
diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml
index 2d2783b..c6b6726 100644
--- a/.github/workflows/npm-bun-blocker.yml
+++ b/.github/workflows/npm-bun-blocker.yml
@@ -2,7 +2,8 @@
 name: NPM/Bun Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index 79b0ae2..720ed36 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
-permissions: read-all
+permissions:
+  contents: read
 
 name: Code Quality
 on: [push, pull_request]
diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml
index 24ebdf7..e89406f 100644
--- a/.github/workflows/rsr-antipattern.yml
+++ b/.github/workflows/rsr-antipattern.yml
@@ -5,7 +5,8 @@
 # Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm
 # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme
 
-permissions: read-all
+permissions:
+  contents: read
 
 name: RSR Anti-Pattern Check
 
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index 58b1f09..26322c9 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -9,7 +9,8 @@ on:
     - cron: '0 6 * * 1'  # Weekly on Monday
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   scorecard:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 00c6a6d..cf4f92e 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -6,7 +6,8 @@ on:
   schedule:
     - cron: '0 4 * * 0'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 051fecf..fd62c4f 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -7,7 +7,8 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   trufflehog:
diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml
index 56a55a5..91ac34b 100644
--- a/.github/workflows/security-policy.yml
+++ b/.github/workflows/security-policy.yml
@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
-permissions: read-all
+permissions:
+  contents: read
 
 name: Security Policy
 on: [push, pull_request]
diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml
index 5c34a58..6a09ba2 100644
--- a/.github/workflows/ts-blocker.yml
+++ b/.github/workflows/ts-blocker.yml
@@ -2,7 +2,8 @@
 name: TypeScript/JavaScript Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml
index 9a4a866..f8c6b90 100644
--- a/.github/workflows/wellknown-enforcement.yml
+++ b/.github/workflows/wellknown-enforcement.yml
@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
-permissions: read-all
+permissions:
+  contents: read
 
 name: Well-Known Standards (RFC 9116 + RSR)
 on:
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
index 94dd0b2..e97d211 100644
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@@ -10,7 +10,8 @@ on:
     paths:
       - '.github/workflows/**'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   lint-workflows:
diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt
new file mode 100644
index 0000000..8621280
--- /dev/null
+++ b/tests/fuzz/placeholder.txt
@@ -0,0 +1 @@
+Scorecard requirement placeholder