chore(state): update STATE.a2ml — v-ecosystem connector expansion com… #74

	# SPDX-License-Identifier: PMPL-1.0-or-later
	# Prevention workflow - runs OpenSSF Scorecard and fails on low scores
	name: OpenSSF Scorecard Enforcer

	on:
	push:
	branches: [main]
	schedule:
	- cron: '0 6 * * 1' # Weekly on Monday
	workflow_dispatch:

	permissions:
	contents: read

	jobs:
	scorecard:
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	id-token: write # For OIDC
	steps:
	- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	with:
	persist-credentials: false

	- name: Run Scorecard
	uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: true

	- name: Upload SARIF
	uses: github/codeql-action/upload-sarif@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
	with:
	sarif_file: results.sarif

	# Check specific high-priority items (separate job so run: steps
	# do not contaminate the scorecard job that publishes results)
	check-critical:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

	- name: Check SECURITY.md exists
	run: \|
	if [ ! -f "SECURITY.md" ]; then
	echo "::error::SECURITY.md is required"
	exit 1
	fi

	- name: Check for pinned dependencies
	run: \|
	# Check workflows for unpinned actions
	unpinned=$(grep -r "uses:.@v[0-9]" .github/workflows/.yml 2>/dev/null \| grep -v "#" \| head -5 \|\| true)
	if [ -n "$unpinned" ]; then
	echo "::warning::Found unpinned actions:"
	echo "$unpinned"
	fi

Provide feedback