ci: align public free CI coverage

Author: rldyourmnd

.github/workflows/README.md

@@ -0,0 +1,37 @@
+# GitHub Actions Workflows
+
+Nine workflows provide the public/free CI surface for the Codex adapter. The
+repository is public, so standard GitHub-hosted runners do not consume the
+owner's private-repository Actions minutes. Keep every workflow on standard
+runner labels and keep third-party actions pinned to full commit SHAs.
+
+## Required PR Gates
+
+| Workflow | Purpose |
+| --- | --- |
+| `validate.yml` | Fast validation, optional runtime/release/MCP scopes, Linux and macOS coverage. |
+| `security-static.yml` | Action pin validation, actionlint, text security scan, ShellCheck, Pyright, Semgrep. |
+| `secret-scan.yml` | Gitleaks history scan for accidental secrets. |
+| `codeql.yml` | CodeQL code scanning for the adapter source surface. |
+| `dependency-review.yml` | Pull-request dependency diff review. |
+
+## Supply-Chain And Drift Gates
+
+| Workflow | Trigger | Purpose |
+| --- | --- | --- |
+| `scorecard.yml` | push, weekly, manual, branch-protection changes | OpenSSF Scorecard SARIF and code-scanning upload. |
+| `dependency-check.yml` | daily, config changes, manual | MCP/runtime pin freshness and dependency report. |
+| `labeler.yml` | pull requests | Unprivileged PR labels, skipped for forks. |
+
+## Release Gate
+
+| Workflow | Trigger | Purpose |
+| --- | --- | --- |
+| `release.yml` | numeric product tag or manual dispatch | Release validation, deterministic bundle, SBOM, attestations, GitHub Release. |
+
+## Cost Policy
+
+- Public adapter CI must stay on standard GitHub-hosted runner labels only.
+- No self-hosted or non-standard runner labels.
+- Workflow artifacts must set explicit retention and stay at or below 30 days.
+- Heavy or drift-oriented checks use schedules/manual dispatch where practical.

.github/workflows/secret-scan.yml

@@ -0,0 +1,43 @@
+name: secret-scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "17 6 * * 2"
+  workflow_dispatch:
+
+permissions: {}
+
+concurrency:
+  group: secret-scan-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gitleaks:
+    name: Gitleaks secret scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks detect
+        shell: bash
+        run: |
+          set -euo pipefail
+          image="zricethezav/gitleaks:v8.30.1@sha256:c00b6bd0aeb3071cbcb79009cb16a60dd9e0a7c60e2be9ab65d25e6bc8abbb7f"
+          docker run --rm \
+            -v "${{ github.workspace }}:/repo" \
+            "$image" \
+            detect \
+              --source /repo \
+              --redact \
+              --no-banner \
+              --exit-code 1

CHANGELOG.md

@@ -7,6 +7,12 @@ The format follows Keep a Changelog, and marketplace/plugin versions follow Sema
 ## [Unreleased]
 
 
+## [1.1.12] - 2026-05-30
+
+### Changed
+
+- Align public free CI capability coverage.
+
 ## [1.1.11] - 2026-05-30
 
 ### Fixed

VERSION

@@ -1 +1 @@
-1.1.11
+1.1.12

plugins/rldyour-browser/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-browser",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "Браузерная проверка и debug для Playwright/DevTools. EN: Browser validation and debugging workflows.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

plugins/rldyour-design/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-design",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "Дизайн/Figma/UI workflow с tokens, i18n, FSD и browser proof. EN: Design implementation workflows.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

plugins/rldyour-explore/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-explore",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "Исследование docs, upstream и web evidence. EN: Technical and web research skills.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

plugins/rldyour-flow/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-flow",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "Автономный SDLC Codex: ry-init/start/review/repair/deploy, hooks и sync. EN: SDLC workflow.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

plugins/rldyour-lsps/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-lsps",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "Маршрутизация LSP, health checks и Serena integration. EN: Language server workflow.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

plugins/rldyour-mcps/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "rldyour-mcps",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "Управляемые MCP-серверы Codex без hidden transports. EN: Controlled MCP runtime set.",
   "author": {
     "name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",