From 1b7b3da8a60f8f7e67b77b39e5e4e5cffb1e58aa Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 20 Jun 2026 07:30:42 +0000
Subject: [PATCH 1/2] fix(security): pin governance reusable to SHA, migrate
 stale PMPL-1.0 headers, tighten dispatch gate

Follow-ups to #30 (which merged before these could be appended):

- governance.yml: pin governance-reusable.yml@main -> @e0caf11508a3989574713c78f5f444f2ce5e33ef (the standards commit scorecard.yml already trusts). Clears the DependencyPinning finding.
- License: migrate the remaining stale PMPL-1.0 SPDX headers to MPL-2.0 on codeql.yml, scorecard.yml and secret-scanner.yml (leftovers from the repo's PMPL-1.0 -> MPL-2.0 migration). No docs carried stale SPDX headers, so CC-BY-SA-4.0 had no targets this pass.
- instant-sync.yml: the repository-dispatch action now consumes the gated env var (token: env.FARM_DISPATCH_TOKEN) instead of secrets directly, so the presence gate and the secret consumption reference the same identifier - helping workflow_audit recognise the gate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5
---
 .github/workflows/codeql.yml         | 2 +-
 .github/workflows/governance.yml     | 2 +-
 .github/workflows/instant-sync.yml   | 2 +-
 .github/workflows/scorecard.yml      | 2 +-
 .github/workflows/secret-scanner.yml | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d2612c3..ba87ffe 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0
+# SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
 
 on:
diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml
index 653ef98..15d99c1 100644
--- a/.github/workflows/governance.yml
+++ b/.github/workflows/governance.yml
@@ -31,4 +31,4 @@ permissions:
 
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef
diff --git a/.github/workflows/instant-sync.yml b/.github/workflows/instant-sync.yml
index 6502b8c..38c927a 100644
--- a/.github/workflows/instant-sync.yml
+++ b/.github/workflows/instant-sync.yml
@@ -26,7 +26,7 @@ jobs:
         if: ${{ env.FARM_DISPATCH_TOKEN != '' }}
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
         with:
-          token: ${{ secrets.FARM_DISPATCH_TOKEN }}
+          token: ${{ env.FARM_DISPATCH_TOKEN }}
           repository: hyperpolymath/.git-private-farm
           event-type: propagate
           client-payload: |-
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index b14a058..42125a2 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0
+# SPDX-License-Identifier: MPL-2.0
 name: Scorecards supply-chain security
 
 on:
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 586cdc0..097d2af 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0
+# SPDX-License-Identifier: MPL-2.0
 name: Secret Scanner
 
 on:

From 57af1ae3946f81b65d9752d9817b4427ea5c1302 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 20 Jun 2026 07:35:10 +0000
Subject: [PATCH 2/2] revert(ci): un-pin governance reusable back to @main

The e0caf115 pin (the SHA scorecard.yml uses) broke 'governance / Language / package anti-pattern policy': that older governance-reusable.yml version checks out hyperpolymath/standards at the CALLER's commit (github.sha = the wokelangiser PR merge commit), which doesn't exist in standards -> 'fatal: remote error: upload-pack: not our ref'. The @main version doesn't have this bug, so revert restores green CI. DependencyPinning stays open until a current standards@main SHA (with the fix) is available; standards is out of this session's scope.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5
---
 .github/workflows/governance.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml
index 15d99c1..653ef98 100644
--- a/.github/workflows/governance.yml
+++ b/.github/workflows/governance.yml
@@ -31,4 +31,4 @@ permissions:
 
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main