From b0f204136901872344f326aed9b9cca5955a03ab Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 23 May 2026 03:14:03 +0100
Subject: [PATCH 1/2] feat(security): fleet-wide workflow hardening (SHA
 pinning + permissions)

---
 .github/workflows/release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0b06484..ed4dd17 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,13 +5,15 @@ on:
     tags:
       - 'v*'
 
+permissions: read-all
+
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
           files: |
             docs/whitepapers/academic/snif.pdf

From 1cea6c1440c2408a2296745c88a13f3c09706b27 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 17:46:57 +0100
Subject: [PATCH 2/2] ci(scorecard): add job-level permissions for reusable
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `scorecard-reusable.yml` reusable requires the calling `analysis` job
to declare `security-events: write` and `id-token: write` — called-workflow
permissions are CAPPED by the caller's block (the reusable docstring
states this explicitly).

Without this, every Scorecard run silently fails with `startup_failure`
because ossf/scorecard-action cannot upload SARIF.

Estate-wide sweep tracked at hyperpolymath/standards#282; same pattern as
julia-professional-registry#19 (2026-05-27) and absolute-zero#68
(2026-05-30).

Refs hyperpolymath/standards#282

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/scorecard.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 620ed0a..70b649f 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -20,6 +20,9 @@ permissions:
 
 jobs:
   analysis:
+    permissions:
+      security-events: write
+      id-token: write
     runs-on: ubuntu-latest
     permissions:
       security-events: write