hyperpolymath
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 6 additions & 3 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 10 additions & 6 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎.github/workflows/comprehensive-quality.yml‎
Lines changed: 35 additions & 12 deletions b/‎.github/workflows/comprehensive-quality.yml‎
Lines changed: 35 additions & 12 deletions
diff --git a/‎.github/workflows/generator-generic-ossf-slsa3-publish.yml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/generator-generic-ossf-slsa3-publish.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/guix-nix-policy.yml‎
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/guix-nix-policy.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎.github/workflows/mirror.yml‎
Lines changed: 9 additions & 2 deletions b/‎.github/workflows/mirror.yml‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎.github/workflows/npm-bun-blocker.yml‎
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/npm-bun-blocker.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎.github/workflows/quality.yml‎
Lines changed: 10 additions & 3 deletions b/‎.github/workflows/quality.yml‎
Lines changed: 10 additions & 3 deletions
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: "CodeQL"
 
 on:
@@ -8,6 +9,8 @@ on:
   schedule:
     - cron: '30 1 * * 1'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
@@ -32,10 +35,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -45,6 +48,6 @@ jobs:
         echo 'Build step for compiled languages'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
       with:
         category: "/language:${{matrix.language}}"
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: CodeQL Security Analysis
 on:
   push:
@@ -7,29 +8,32 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
+permissions: read-all
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
     strategy:
       fail-fast: false
       matrix:
         language: ['javascript', 'python', 'go', 'java', 'ruby']
     steps:
-      - uses: actions/checkout@v6
-      
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
         continue-on-error: true
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         continue-on-error: true
-      
+
       - name: Perform Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         continue-on-error: true
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Comprehensive Quality Gates
 on:
   push:
@@ -6,12 +7,16 @@ on:
   schedule:
     - cron: '0 5 * * 0'
 
+permissions: read-all
+
 jobs:
   # DEPENDABILITY - Stability and reliability
   dependability:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check test coverage
         run: |
           echo "Checking for test files..."
@@ -29,10 +34,12 @@ jobs:
   # SECURITY - Multi-layer security scanning
   security:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Secret scanning
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3.88.3
         continue-on-error: true
       - name: Dependency vulnerabilities
         run: |
@@ -49,8 +56,10 @@ jobs:
   # INTEROPERABILITY - API and format compatibility
   interoperability:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check API specs
         run: |
           if [ -f "openapi.yaml" ] || [ -f "openapi.json" ]; then
@@ -66,8 +75,10 @@ jobs:
   # VALIDATION - Input/output validation
   validation:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check for validation patterns
         run: |
           VALIDATION=$(grep -rE "validate|sanitize|Schema|Validator" --include="*.rs" --include="*.res" --include="*.ex" . 2>/dev/null | wc -l || echo "0")
@@ -81,7 +92,7 @@ jobs:
       contents: read
       attestations: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Generate SBOM
         run: |
           echo "SBOM generation would run here"
@@ -96,8 +107,10 @@ jobs:
   # VERIFICATION - Formal methods where applicable
   verification:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check SPARK proofs
         run: |
           if find . -name "*.ads" | grep -q .; then
@@ -112,8 +125,10 @@ jobs:
   # FUNCTIONALITY - Feature completeness
   functionality:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check TODOs and FIXMEs
         run: |
           echo "=== Incomplete items ==="
@@ -125,8 +140,10 @@ jobs:
   # PERFORMANCE - Benchmarks and profiling
   performance:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check for benchmarks
         run: |
           BENCHES=$(find . -name "*bench*" -o -name "*perf*" | wc -l)
@@ -142,8 +159,10 @@ jobs:
   accessibility:
     runs-on: ubuntu-latest
     if: hashFiles('**/*.html') != ''
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: HTML accessibility check
         run: |
           echo "Checking for a11y attributes..."
@@ -156,8 +175,10 @@ jobs:
   # LICENSE COMPLIANCE
   license:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check license files
         run: |
           if [ -f "LICENSE" ] || [ -f "LICENSE.txt" ] || [ -f "LICENSE.md" ]; then
@@ -174,8 +195,10 @@ jobs:
   # DOCUMENTATION QUALITY
   documentation:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check docs completeness
         run: |
           DOCS=""
 
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support
@@ -16,14 +17,18 @@ on:
   release:
     types: [created]
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       digests: ${{ steps.hash.outputs.digests }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # ========================================================
       #
 
@@ -1,10 +1,16 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Guix/Nix Package Policy
 on: [push, pull_request]
+
+permissions: read-all
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Enforce Guix primary / Nix fallback
         run: |
           # Check for package manager files
 
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Mirror to GitLab and Bitbucket
 
 on:
@@ -7,14 +8,18 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   mirror-gitlab:
     runs-on: ubuntu-latest
     if: ${{ vars.GITLAB_MIRROR_ENABLED == 'true' }}
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
@@ -30,10 +35,12 @@ jobs:
   mirror-bitbucket:
     runs-on: ubuntu-latest
     if: ${{ vars.BITBUCKET_MIRROR_ENABLED == 'true' }}
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
 
@@ -1,10 +1,16 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: NPM/Bun Blocker
 on: [push, pull_request]
+
+permissions: read-all
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Block npm/bun
         run: |
           if [ -f "package-lock.json" ] || [ -f "bun.lockb" ] || [ -f ".npmrc" ]; then
 
@@ -1,18 +1,23 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Code Quality
 on: [push, pull_request]
 
+permissions: read-all
+
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Check file permissions
         run: |
           find . -type f -perm /111 -name "*.sh" | head -10 || true
       
       - name: Check for secrets
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3.88.3
         with:
           path: ./
           base: ${{ github.event.pull_request.base.sha || github.event.before }}
@@ -34,8 +39,10 @@ jobs:
 
   docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check documentation
         run: |
           MISSING=""