Skip to content

chore(ci): Maximize CI/CD values (Dependabot & Permissions) #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 7 commits into from
Mar 20, 2026
Merged

chore(ci): Maximize CI/CD values (Dependabot & Permissions) #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5dfce73
chore: RSR sync and mass repository update
hyperpolymath Mar 17, 2026
3c6a672
chore: Big Unification — attach to BoJ Server / Casket architecture
hyperpolymath Mar 17, 2026
e4d93f3
chore: Big Unification — attach to BoJ Server / Casket architecture
hyperpolymath Mar 17, 2026
70e19a4
chore(ci): maximize ci/cd values via dependabot and permissions
hyperpolymath Mar 18, 2026
9ead403
fix(ci): Resolve workflow-linter self-matching and metadata issues
hyperpolymath Mar 18, 2026
003b130
fix(scorecard): enforce granular permissions and add fuzzing placeholder
hyperpolymath Mar 18, 2026
51ccc57
Merge branch 'main' into chore/cicd-optimizations
hyperpolymath Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/boj-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# SPDX-License-Identifier: PMPL-1.0-or-later
name: BoJ Server Build Trigger
on:
push:
branches: [main, master]
workflow_dispatch:
jobs:
trigger-boj:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Trigger BoJ Server (Casket/ssg-mcp)
run: |
# Send a secure trigger to boj-server to build this repository
curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"}
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Fix the malformed curl -d payload in the BoJ trigger

The run script's -d argument currently ends with "casket\\"}"} which leaves the shell with an unmatched double quote and an extra }. I copied the resolved command into bash -n and it fails with unexpected EOF while looking for matching '"', so this step never reaches curl and the new workflow cannot trigger BoJ at all.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Point the workflow at an endpoint reachable from GitHub runners

This job runs on a stock ubuntu-latest runner and only performs actions/checkout, so there is nothing here that makes boj-server.local:7700 reachable (no services: block, tunnel, or self-hosted runner label). Even after fixing the quoting bug above, GitHub-hosted executions will still fail to contact BoJ and, because the step is marked continue-on-error, the repository will silently skip the intended build trigger on every push.

Useful? React with 👍 / 👎.

continue-on-error: true
permissions:
contents: read
3 changes: 2 additions & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ on:
schedule:
- cron: '0 6 * * 1'

permissions: read-all
permissions:
contents: read

jobs:
analyze:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/guix-nix-policy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
name: Guix/Nix Package Policy
on: [push, pull_request]

permissions: read-all
permissions:
contents: read

jobs:
check:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/hypatia-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ on:
- cron: '0 0 * * 0' # Weekly on Sunday
workflow_dispatch:

permissions: read-all
permissions:
contents: read

jobs:
scan:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/mirror.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ on:
branches: [main]
workflow_dispatch:

permissions: read-all
permissions:
contents: read

jobs:
mirror-gitlab:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/npm-bun-blocker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
name: NPM/Bun Blocker
on: [push, pull_request]

permissions: read-all
permissions:
contents: read

jobs:
check:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/quality.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ name: Code Quality
on: [push, pull_request]


permissions: read-all
permissions:
contents: read

jobs:
lint:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/rsr-antipattern.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ on:
branches: [main, master, develop]


permissions: read-all
permissions:
contents: read

jobs:
antipattern-check:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/scorecard-enforcer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ on:
- cron: '0 6 * * 1' # Weekly on Monday
workflow_dispatch:

permissions: read-all
permissions:
contents: read

jobs:
scorecard:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ on:
- cron: '0 4 * * *'
workflow_dispatch:

permissions: read-all
permissions:
contents: read

jobs:
analysis:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/secret-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ on:
push:
branches: [main]

permissions: read-all
permissions:
contents: read

jobs:
trufflehog:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/security-policy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
name: Security Policy
on: [push, pull_request]

permissions: read-all
permissions:
contents: read

jobs:
check:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/ts-blocker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
name: TypeScript/JavaScript Blocker
on: [push, pull_request]

permissions: read-all
permissions:
contents: read

jobs:
check:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/wellknown-enforcement.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ on:
workflow_dispatch:


permissions: read-all
permissions:
contents: read

jobs:
validate:
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/workflow-linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ on:
- '.github/workflows/**'
workflow_dispatch:

permissions: read-all
permissions:
contents: read

jobs:
lint-workflows:
Expand Down Expand Up @@ -53,7 +54,8 @@ jobs:
fi
done
if [ $failed -eq 1 ]; then
echo "Add 'permissions: read-all' at workflow level"
echo "Add 'permissions:
contents: read' at workflow level"
exit 1
fi
echo "All workflows have permissions declared"
Expand Down
18 changes: 18 additions & 0 deletions .machine_readable/anchors/ANCHOR.a2ml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# ⚓ ANCHOR: developer-ecosystem
# This is the canonical authority for the developer-ecosystem repository.

id: "org.hyperpolymath.developer-ecosystem"
version: "1.0.0"
clade: "unknown"
status: "active"

# SSG Configuration (Unified boj-server build)
ssg:
engine: "casket"
output_dir: "public"
boj_trigger: true
cartridge: "ssg-mcp"

# Relationships
parents:
- "org.hyperpolymath.boj-server"
13 changes: 7 additions & 6 deletions ada-ecosystem/ada-loom-registry/contractiles/k9/README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ K9 contractiles integrate with other RSR standards:
⚠️ **Never run as root unless required** +
⚠️ **Sandbox external components**

**See:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-BEST-PRACTICES.adoc
**See:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-BEST-PRACTICES.adoc

== Template Files

Expand All @@ -154,14 +154,15 @@ chmod +x nickel && sudo mv nickel /usr/local/bin/
cargo install just

# Clone K9-SVC (for must shim and tooling)
git clone https://github.com/hyperpolymath/k9-svc.git
git clone https://github.com/hyperpolymath/standards.git
# Note: K9-SVC is located in standards/k9-svc
----

== Learn More

- **K9-SVC Specification:** https://github.com/hyperpolymath/k9-svc/blob/main/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/k9-svc/blob/main/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-FAQ.adoc
- **K9-SVC Specification:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-FAQ.adoc
- **IANA Media Type:** `application/vnd.k9+nickel`

== Contributing
Expand All @@ -174,4 +175,4 @@ When adding K9 contractiles to your repository:
4. Sign Hunt-level components before committing
5. Add K9 validation to CI/CD pipeline

**Questions?** Open an issue on https://github.com/hyperpolymath/k9-svc
**Questions?** Open an issue on https://github.com/hyperpolymath/standards/tree/main/k9-svc
13 changes: 7 additions & 6 deletions aggregate-library/contractiles/k9/README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ K9 contractiles integrate with other RSR standards:
⚠️ **Never run as root unless required** +
⚠️ **Sandbox external components**

**See:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-BEST-PRACTICES.adoc
**See:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-BEST-PRACTICES.adoc

== Template Files

Expand All @@ -154,14 +154,15 @@ chmod +x nickel && sudo mv nickel /usr/local/bin/
cargo install just

# Clone K9-SVC (for must shim and tooling)
git clone https://github.com/hyperpolymath/k9-svc.git
git clone https://github.com/hyperpolymath/standards.git
# Note: K9-SVC is located in standards/k9-svc
----

== Learn More

- **K9-SVC Specification:** https://github.com/hyperpolymath/k9-svc/blob/main/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/k9-svc/blob/main/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-FAQ.adoc
- **K9-SVC Specification:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-FAQ.adoc
- **IANA Media Type:** `application/vnd.k9+nickel`

== Contributing
Expand All @@ -174,4 +175,4 @@ When adding K9 contractiles to your repository:
4. Sign Hunt-level components before committing
5. Add K9 validation to CI/CD pipeline

**Questions?** Open an issue on https://github.com/hyperpolymath/k9-svc
**Questions?** Open an issue on https://github.com/hyperpolymath/standards/tree/main/k9-svc
13 changes: 7 additions & 6 deletions contractiles/k9/README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ K9 contractiles integrate with other RSR standards:
⚠️ **Never run as root unless required** +
⚠️ **Sandbox external components**

**See:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-BEST-PRACTICES.adoc
**See:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-BEST-PRACTICES.adoc

== Template Files

Expand All @@ -154,14 +154,15 @@ chmod +x nickel && sudo mv nickel /usr/local/bin/
cargo install just

# Clone K9-SVC (for must shim and tooling)
git clone https://github.com/hyperpolymath/k9-svc.git
git clone https://github.com/hyperpolymath/standards.git
# Note: K9-SVC is located in standards/.git
----

== Learn More

- **K9-SVC Specification:** https://github.com/hyperpolymath/k9-svc/blob/main/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/k9-svc/blob/main/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-FAQ.adoc
- **K9-SVC Specification:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-FAQ.adoc
- **IANA Media Type:** `application/vnd.k9+nickel`

== Contributing
Expand All @@ -174,4 +175,4 @@ When adding K9 contractiles to your repository:
4. Sign Hunt-level components before committing
5. Add K9 validation to CI/CD pipeline

**Questions?** Open an issue on https://github.com/hyperpolymath/k9-svc
**Questions?** Open an issue on https://github.com/hyperpolymath/standards/tree/main/k9-svc
13 changes: 7 additions & 6 deletions coq-ecosystem/coq-jr/contractiles/k9/README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ K9 contractiles integrate with other RSR standards:
⚠️ **Never run as root unless required** +
⚠️ **Sandbox external components**

**See:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-BEST-PRACTICES.adoc
**See:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-BEST-PRACTICES.adoc

== Template Files

Expand All @@ -154,14 +154,15 @@ chmod +x nickel && sudo mv nickel /usr/local/bin/
cargo install just

# Clone K9-SVC (for must shim and tooling)
git clone https://github.com/hyperpolymath/k9-svc.git
git clone https://github.com/hyperpolymath/standards.git
# Note: K9-SVC is located in standards/k9-svc
----

== Learn More

- **K9-SVC Specification:** https://github.com/hyperpolymath/k9-svc/blob/main/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/k9-svc/blob/main/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-FAQ.adoc
- **K9-SVC Specification:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-FAQ.adoc
- **IANA Media Type:** `application/vnd.k9+nickel`

== Contributing
Expand All @@ -174,4 +175,4 @@ When adding K9 contractiles to your repository:
4. Sign Hunt-level components before committing
5. Add K9 validation to CI/CD pipeline

**Questions?** Open an issue on https://github.com/hyperpolymath/k9-svc
**Questions?** Open an issue on https://github.com/hyperpolymath/standards/tree/main/k9-svc
13 changes: 7 additions & 6 deletions deno-ecosystem/contractiles/k9/README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ K9 contractiles integrate with other RSR standards:
⚠️ **Never run as root unless required** +
⚠️ **Sandbox external components**

**See:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-BEST-PRACTICES.adoc
**See:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-BEST-PRACTICES.adoc

== Template Files

Expand All @@ -154,14 +154,15 @@ chmod +x nickel && sudo mv nickel /usr/local/bin/
cargo install just

# Clone K9-SVC (for must shim and tooling)
git clone https://github.com/hyperpolymath/k9-svc.git
git clone https://github.com/hyperpolymath/standards.git
# Note: K9-SVC is located in standards/.git
----

== Learn More

- **K9-SVC Specification:** https://github.com/hyperpolymath/k9-svc/blob/main/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/k9-svc/blob/main/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-FAQ.adoc
- **K9-SVC Specification:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-FAQ.adoc
- **IANA Media Type:** `application/vnd.k9+nickel`

== Contributing
Expand All @@ -174,4 +175,4 @@ When adding K9 contractiles to your repository:
4. Sign Hunt-level components before committing
5. Add K9 validation to CI/CD pipeline

**Questions?** Open an issue on https://github.com/hyperpolymath/k9-svc
**Questions?** Open an issue on https://github.com/hyperpolymath/standards/tree/main/k9-svc
13 changes: 7 additions & 6 deletions devkit-risc-v/contractiles/k9/README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ K9 contractiles integrate with other RSR standards:
⚠️ **Never run as root unless required** +
⚠️ **Sandbox external components**

**See:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-BEST-PRACTICES.adoc
**See:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-BEST-PRACTICES.adoc

== Template Files

Expand All @@ -154,14 +154,15 @@ chmod +x nickel && sudo mv nickel /usr/local/bin/
cargo install just

# Clone K9-SVC (for must shim and tooling)
git clone https://github.com/hyperpolymath/k9-svc.git
git clone https://github.com/hyperpolymath/standards.git
# Note: K9-SVC is located in standards/.git
----

== Learn More

- **K9-SVC Specification:** https://github.com/hyperpolymath/k9-svc/blob/main/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/k9-svc/blob/main/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/k9-svc/blob/main/docs/SECURITY-FAQ.adoc
- **K9-SVC Specification:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/SPEC.adoc
- **K9 User Guide:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/GUIDE.adoc
- **Security Documentation:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-FAQ.adoc
- **IANA Media Type:** `application/vnd.k9+nickel`

== Contributing
Expand All @@ -174,4 +175,4 @@ When adding K9 contractiles to your repository:
4. Sign Hunt-level components before committing
5. Add K9 validation to CI/CD pipeline

**Questions?** Open an issue on https://github.com/hyperpolymath/k9-svc
**Questions?** Open an issue on https://github.com/hyperpolymath/standards/tree/main/k9-svc
Loading
Loading