chore(ci): replace scorecard.yml with reusable wrapper

[hyperpolymath]

Pins to hyperpolymath/standards#205 merge SHA e0caf11508a3989574713c78f5f444f2ce5e33ef. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set (mirror, secret-scanner, codeql, hypatia-scan, scorecard).

Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Description

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 📖 Documentation update
• 🎨 Code style/refactoring (no functional changes)
• ⚡ Performance improvement
• 🔒 Security fix
• 🧪 Test updates
• 🔧 Configuration/infrastructure changes

Related Issues

Closes #
Related to #

Changes Made

Testing

Test Environment

• Ruby version:
• Rails version:
• Database:
• Browser (if applicable):

Test Steps

Test Results

• All existing tests pass
• New tests added for new functionality
• Manual testing completed
• No regressions detected

Screenshots

Checklist

Code Quality

• My code follows the project's coding standards
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings or errors
• I have added SPDX license headers to all new files

Testing

• I have added tests that prove my fix/feature works
• New and existing unit tests pass locally
• I have tested on multiple browsers/devices (if applicable)

Documentation

• I have updated relevant documentation (README, CONTRIBUTING, etc.)
• I have updated CHANGELOG.md with notable changes
• I have added/updated code comments where necessary
• API documentation is updated (if applicable)

Security

• No security vulnerabilities introduced
• Sensitive data is properly handled
• Input validation is implemented
• No debugging code (console.log, binding.pry, etc.) left in

Database

• Database migrations are reversible
• Migrations tested on a copy of production data (if applicable)
• No destructive changes without confirmation

Performance

• No significant performance degradation
• Database queries are optimized (no N+1 queries)
• Large files/data handled efficiently

Additional Context

Reviewer Notes

---

By submitting this pull request, I confirm that:

• I have read and agree to the Code of Conduct
• I have read the Contributing Guidelines
• My contribution is original or properly attributed
• I agree to license my contribution under GPL-3.0-or-later

[github-actions]

🔍 Hypatia Security Scan

Findings: 83 issues detected

Severity	Count
🔴 Critical	1
🟠 High	5
🟡 Medium	77

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "No permissions declaration -- add permissions: read-all",
    "type": "missing_permissions",
    "file": "gleam-ci.yml",
    "action": "add_permissions",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "No permissions declaration -- add permissions: read-all",
    "type": "missing_permissions",
    "file": "language-policy.yml",
    "action": "add_permissions",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "No permissions declaration -- add permissions: read-all",
    "type": "missing_permissions",
    "file": "rescript-deno-ci.yml",
    "action": "add_permissions",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence