From 1b75fa543866ebb0844617bcf032cdc3e180e6cc Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 12:15:34 +0100
Subject: [PATCH 1/5] ci: redistribute canonical codeql.yml (concurrency-cancel
 guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/codeql.yml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 35533c3..9e32d15 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,12 +1,11 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
-# Presswerk — CodeQL workflow analysis (Rust not supported; scans Actions only)
+# SPDX-License-Identifier: PMPL-1.0
 name: CodeQL Security Analysis
 
 on:
   push:
-    branches: [main]
+    branches: [main, master]
   pull_request:
-    branches: [main]
+    branches: [main, master]
   schedule:
     - cron: '0 6 * * 1'
 
@@ -31,20 +30,20 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: actions
+          - language: javascript-typescript
             build-mode: none
 
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3
+        uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3
+        uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           category: "/language:${{ matrix.language }}"

From 40698e69cfc011cbb030c4c1db056919e8b6df83 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 12:15:35 +0100
Subject: [PATCH 2/5] ci: redistribute canonical governance.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)


From 519acbefcf97636ddaae505943b8bc92d6934d86 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 12:15:36 +0100
Subject: [PATCH 3/5] ci: redistribute canonical scorecard-enforcer.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/scorecard-enforcer.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index 98a80a9..04206c0 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -27,7 +27,7 @@ jobs:
       security-events: write
       id-token: write  # For OIDC
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -39,7 +39,7 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4
         with:
           sarif_file: results.sarif
 
@@ -62,7 +62,7 @@ jobs:
   check-critical:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check SECURITY.md exists
         run: |

From 8613e5079269ca121fd157cd1888cede8a9557e3 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 12:15:37 +0100
Subject: [PATCH 4/5] ci: redistribute canonical scorecard.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/scorecard.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 81a3a4c..29853b2 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 name: OSSF Scorecard
 on:
   push:
@@ -25,7 +25,7 @@ jobs:
       security-events: write
       id-token: write
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -36,6 +36,6 @@ jobs:
           results_format: sarif
 
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.31.8
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8
         with:
           sarif_file: results.sarif

From 0f5fc3763e4cd2ae1e29f0b9079b52a08efac8ff Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 12:15:39 +0100
Subject: [PATCH 5/5] ci: redistribute canonical secret-scanner.yml
 (concurrency-cancel guard) (Refs hyperpolymath/standards#122)

---
 .github/workflows/secret-scanner.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 2f404c2..8801d53 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 # Prevention workflow - scans for hardcoded secrets before they reach main
 name: Secret Scanner
 
@@ -22,12 +22,12 @@ jobs:
   trufflehog:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0  # Full history for scanning
 
       - name: TruffleHog Secret Scan
-        uses: trufflesecurity/trufflehog@116e7171542d2f1dad8810f00dcfacbe0b809183 # v3
+        uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3
         with:
           # The v3 action injects --fail automatically on pull_request events.
           # Passing --fail here triggers "flag 'fail' cannot be repeated".
@@ -36,7 +36,7 @@ jobs:
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0
 
@@ -49,7 +49,7 @@ jobs:
   rust-secrets:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - name: Check for hardcoded secrets in Rust
         run: |