ci: redistribute concurrency-cancel guard to read-only check workflows

.github/workflows/codeql.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 name: CodeQL Security Analysis
 
 on:
@@ -8,9 +8,11 @@ on:
     branches: [main, master]
   schedule:
     - cron: '0 6 * * 1'
-# Estate guardrail: cancel superseded runs so re-pushes don't pile up
-# queued runs across the estate. Safe here because this workflow only
-# performs read-only checks/lint/test/scan with no publish or mutation.
+
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -19,58 +21,29 @@ permissions:
   contents: read
 
 jobs:
-  # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript,
-  # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix
-  # made CodeQL exit with a "no source / configuration error" on every
-  # non-JS/TS repo — a permanent false-red `analyze` on most repos' main.
-  # Detect the languages the repo ACTUALLY contains and only analyse the
-  # CodeQL-supported, buildless-safe ones; skip entirely when none apply.
-  detect:
-    runs-on: ubuntu-latest
-    outputs:
-      langs: ${{ steps.pick.outputs.langs }}
-    steps:
-      - name: Pick CodeQL languages from repo language stats
-        id: pick
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "")
-          out=""
-          add() { out="$out $1"; }
-          echo "$stats" | grep -qix 'Rust'                 && add rust
-          echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript
-          echo "$stats" | grep -qix 'Python'               && add python
-          echo "$stats" | grep -qix 'Ruby'                 && add ruby
-          echo "$stats" | grep -qix 'Go'                   && add go
-          arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .)
-          [ -z "$arr" ] && arr='[]'
-          echo "Detected CodeQL languages: $arr"
-          echo "langs=$arr" >> "$GITHUB_OUTPUT"
-
   analyze:
-    needs: detect
-    if: needs.detect.outputs.langs != '[]'
     runs-on: ubuntu-latest
     permissions:
       contents: read
       security-events: write
     strategy:
       fail-fast: false
       matrix:
-        language: ${{ fromJSON(needs.detect.outputs.langs) }}
+        include:
+          - language: javascript-typescript
+            build-mode: none
 
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
+        uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           languages: ${{ matrix.language }}
-          build-mode: none
+          build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
+        uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/governance.yml

@@ -1,16 +1,14 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
-# governance.yml — single wrapper that calls the shared estate governance
-# bundle in hyperpolymath/standards instead of carrying ~8 local copies.
+# governance.yml — single wrapper calling the shared estate governance bundle
+# in hyperpolymath/standards instead of carrying per-repo copies.
 #
-# Replaces (deleted in verisimiser#59):
+# Replaces the per-repo governance scaffolding removed in the same commit:
 #   quality.yml, guix-nix-policy.yml, npm-bun-blocker.yml, ts-blocker.yml,
 #   security-policy.yml, rsr-antipattern.yml, wellknown-enforcement.yml,
 #   workflow-linter.yml
 #
-# Load-bearing workflows stay standalone in this repo:
-#   rust-ci, codeql, dependabot-automerge, release
-# (plus repo-specific gates dogfood-gate / static-analysis-gate and the
-#  mirror/pages/scan plumbing, which have side effects or no PR noise).
+# Load-bearing build/security workflows stay standalone in the repo
+# (rust-ci, codeql, dependabot, release, scan/mirror/pages plumbing).
 
 name: Governance
 

.github/workflows/scorecard-enforcer.yml

@@ -39,7 +39,7 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4
         with:
           sarif_file: results.sarif
 

.github/workflows/scorecard.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 name: OSSF Scorecard
 on:
   push:
@@ -30,12 +30,12 @@ jobs:
           persist-credentials: false
 
       - name: Run Scorecard
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
 
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.31.8
+        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8
         with:
           sarif_file: results.sarif

.github/workflows/secret-scanner.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: PMPL-1.0
 # Prevention workflow - scans for hardcoded secrets before they reach main
 name: Secret Scanner
 
@@ -22,19 +22,21 @@ jobs:
   trufflehog:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0  # Full history for scanning
 
       - name: TruffleHog Secret Scan
         uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3
         with:
-          extra_args: --only-verified --fail
+          # The v3 action injects --fail automatically on pull_request events.
+          # Passing --fail here triggers "flag 'fail' cannot be repeated".
+          extra_args: --only-verified
 
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0
 
@@ -46,12 +48,15 @@ jobs:
   # Rust-specific: Check for hardcoded crypto values
   rust-secrets:
     runs-on: ubuntu-latest
-    if: hashFiles('**/Cargo.toml') != ''
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - name: Check for hardcoded secrets in Rust
         run: |
+          if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then
+            echo 'No Cargo.toml found — skipping Rust secrets check'
+            exit 0
+          fi
           # Patterns that suggest hardcoded secrets
           PATTERNS=(
             'const.*SECRET.*=.*"'