From 8b7fa56af9aa6f28954082e66c2618db3577bebd Mon Sep 17 00:00:00 2001
From: CoderDeltaLan <coderdeltalan@gmail.com>
Date: Mon, 22 Sep 2025 08:50:17 +0100
Subject: [PATCH 1/4] =?UTF-8?q?ci:=20harden=20Scorecard=20=E2=80=94=20publ?=
 =?UTF-8?q?ish=20results=20and=20pin=20actions=20by=20SHA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/scorecards.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 3a9cdeb..d8af420 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -30,9 +30,9 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          publish_results: false
+          publish_results: true
 
       - name: Upload SARIF to code scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarifc86100d080feab897ff886c34abd4c83a3
         with:
           sarif_file: results.sarif

From 222162f694f58ceb48656b24417918eea2908dc3 Mon Sep 17 00:00:00 2001
From: CoderDeltaLan <coderdeltalan@gmail.com>
Date: Mon, 22 Sep 2025 08:51:27 +0100
Subject: [PATCH 2/4] ci: fix Scorecard SARIF uploader ref

---
 .github/workflows/scorecards.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index d8af420..f676b40 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -33,6 +33,6 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF to code scanning
-        uses: github/codeql-action/upload-sarifc86100d080feab897ff886c34abd4c83a3
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

From 862c689726f05d40b70acdd51673e54c5304e4e4 Mon Sep 17 00:00:00 2001
From: CoderDeltaLan <coderdeltalan@gmail.com>
Date: Mon, 22 Sep 2025 09:10:44 +0100
Subject: [PATCH 3/4] ci: enforce least-privilege GITHUB_TOKEN (permissions:
 contents: read)

---
 .github/workflows/scorecards.yml.bak | 38 ++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/scorecards.yml.bak

diff --git a/.github/workflows/scorecards.yml.bak b/.github/workflows/scorecards.yml.bak
new file mode 100644
index 0000000..3a9cdeb
--- /dev/null
+++ b/.github/workflows/scorecards.yml.bak
@@ -0,0 +1,38 @@
+name: OpenSSF Scorecard
+on:
+  push:
+    branches: ["main"]
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: scorecard-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard (private publish)
+        uses: ossf/scorecard-action@v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: false
+
+      - name: Upload SARIF to code scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

From d333966736c41d48ba3955cce0dc8d89b6c3c1d2 Mon Sep 17 00:00:00 2001
From: CoderDeltaLan <coderdeltalan@gmail.com>
Date: Mon, 22 Sep 2025 09:13:29 +0100
Subject: [PATCH 4/4] ci: enforce least-privilege at root (permissions:
 contents: read) and ignore _ci_diag for formatting

---
 .github/workflows/scorecards.yml.bak | 38 ----------------------------
 .gitignore                           |  1 +
 .prettierignore                      |  1 +
 3 files changed, 2 insertions(+), 38 deletions(-)
 delete mode 100644 .github/workflows/scorecards.yml.bak

diff --git a/.github/workflows/scorecards.yml.bak b/.github/workflows/scorecards.yml.bak
deleted file mode 100644
index 3a9cdeb..0000000
--- a/.github/workflows/scorecards.yml.bak
+++ /dev/null
@@ -1,38 +0,0 @@
-name: OpenSSF Scorecard
-on:
-  push:
-    branches: ["main"]
-  schedule:
-    - cron: "0 6 * * 1"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: scorecard-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  analysis:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-      id-token: write
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Run Scorecard (private publish)
-        uses: ossf/scorecard-action@v2.4.2
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          publish_results: false
-
-      - name: Upload SARIF to code scanning
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif
diff --git a/.gitignore b/.gitignore
index 2718c71..5c2ed93 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@ _ci_redfix/
 # local artifacts
 _ci_local/
 .tools/
+_ci_diag/
diff --git a/.prettierignore b/.prettierignore
index 36dd1bb..12c6c6a 100644
--- a/.prettierignore
+++ b/.prettierignore
@@ -9,3 +9,4 @@ poetry.lock
 
 pnpm-lock.yaml
 pnpm-lock.yaml
+_ci_diag/