From a7577e5fdb4641a3a27f5a01ee35b3580eaa1983 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 23 May 2026 03:14:03 +0100
Subject: [PATCH 1/2] feat(security): fleet-wide workflow hardening (SHA
 pinning + permissions)

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b80da1c..e840456 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
           #   mix release
 
       # TODO: Upload build artifacts if needed
-      # - uses: actions/upload-artifact@v4
+      # - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       #   with:
       #     name: release-artifacts
       #     path: target/release/
@@ -94,7 +94,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # TODO: Download build artifacts if uploading to the release
-      # - uses: actions/download-artifact@v4
+      # - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       #   with:
       #     name: release-artifacts
       #     path: artifacts/

From a814292adedb1c201e0638507e75cce209de27b6 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 17:40:49 +0100
Subject: [PATCH 2/2] ci(scorecard): add job-level permissions for reusable
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `scorecard-reusable.yml` reusable requires the calling `analysis` job
to declare `security-events: write` and `id-token: write` — called-workflow
permissions are CAPPED by the caller's block (the reusable docstring
states this explicitly).

Without this, every Scorecard run silently fails with `startup_failure`
because ossf/scorecard-action cannot upload SARIF.

Estate-wide sweep tracked at hyperpolymath/standards#282; same pattern as
julia-professional-registry#19 (2026-05-27) and absolute-zero#68
(2026-05-30).

Refs hyperpolymath/standards#282

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/scorecard.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 29853b2..47a020c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -20,6 +20,9 @@ permissions:
 
 jobs:
   analysis:
+    permissions:
+      security-events: write
+      id-token: write
     runs-on: ubuntu-latest
     permissions:
       security-events: write