From 5003788c023306a214aeaab8b3e46da3f73e44a8 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:38:43 +0100 Subject: [PATCH 1/5] ci: redistribute canonical codeql.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/codeql.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ec61cf4..9e32d15 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 name: CodeQL Security Analysis on: @@ -9,6 +9,14 @@ on: schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read @@ -30,17 +38,12 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.28.1 + uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.28.1 + uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: category: "/language:${{ matrix.language }}" - - - name: K9-SVC Validation - run: | - echo "K9-SVC validation" - [ -d .machine_readable/contractiles ] && echo "Contractiles present" || echo "No contractiles" From 12929ef24126ad0eea27d1e071c6e5d8bbc1a501 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:38:44 +0100 Subject: [PATCH 2/5] ci: redistribute canonical governance.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) From d98fab4c5e750ef03a1925f8d1b153fe2ba03601 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:38:45 +0100 Subject: [PATCH 3/5] ci: redistribute canonical scorecard-enforcer.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/scorecard-enforcer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index efa4812..04206c0 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -39,7 +39,7 @@ jobs: publish_results: true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4 with: sarif_file: results.sarif From 2d15ac2f9e3232eb445b2243bb5c9b3fcc0c2153 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:38:47 +0100 Subject: [PATCH 4/5] ci: redistribute canonical scorecard.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9e45d58..29853b2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 name: OSSF Scorecard on: push: @@ -36,6 +36,6 @@ jobs: results_format: sarif - name: Upload results - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.31.8 + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8 with: sarif_file: results.sarif From 3c9761f464b8f61f0c2aafdf9b4f3d5adb5c1b8c Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 12:38:48 +0100 Subject: [PATCH 5/5] ci: redistribute canonical secret-scanner.yml (concurrency-cancel guard) (Refs hyperpolymath/standards#122) --- .github/workflows/secret-scanner.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 36ffc29..8801d53 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0-or-later +# SPDX-License-Identifier: PMPL-1.0 # Prevention workflow - scans for hardcoded secrets before they reach main name: Secret Scanner @@ -27,9 +27,11 @@ jobs: fetch-depth: 0 # Full history for scanning - name: TruffleHog Secret Scan - uses: trufflesecurity/trufflehog@6c64db94d5b2e09d7e0948fb6bd3166cc6fffbc7 # v3 + uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3 with: - extra_args: --only-verified --fail + # The v3 action injects --fail automatically on pull_request events. + # Passing --fail here triggers "flag 'fail' cannot be repeated". + extra_args: --only-verified gitleaks: runs-on: ubuntu-latest @@ -46,12 +48,15 @@ jobs: # Rust-specific: Check for hardcoded crypto values rust-secrets: runs-on: ubuntu-latest - if: hashFiles('**/Cargo.toml') != '' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Check for hardcoded secrets in Rust run: | + if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then + echo 'No Cargo.toml found — skipping Rust secrets check' + exit 0 + fi # Patterns that suggest hardcoded secrets PATTERNS=( 'const.*SECRET.*=.*"'