ci(security): address remaining scorecard findings

[bochkov-anton]

Summary

• Pins govulncheck installation to golang.org/x/vuln/cmd/govulncheck@v1.1.4.
• Replaces ephemeral commitlint installation with a lockfile-backed tool package using @commitlint/cli@19.8.1 and @commitlint/config-conventional@19.8.1.
• Replaces un-hashed benchmark Python dependency installation with hash-locked requirements.lock.
• Adds Go fuzz coverage for pool lifecycle invariants.
• Adds a pinned GitHub Actions fuzz workflow.
• Adds or improves maintenance metadata without inventing project activity.

Scorecard impact

Expected to improve or resolve:

• Pinned-Dependencies
• Fuzzing

Expected to improve partially, but not fully resolve immediately:

• Maintained

Requires GitHub repository settings or real review activity outside this PR:

• Branch-Protection
• Code-Review
• CII-Best-Practices

Fixed versions

• golang.org/x/vuln/cmd/govulncheck@v1.1.4
• @commitlint/cli@19.8.1
• @commitlint/config-conventional@19.8.1
• pip-tools==7.4.1 used only as a local lockfile generation helper
• Python benchmark dependencies remain at the versions already declared in requirements.txt

Manual GitHub settings still required

• Repository Settings -> Actions -> General:

  • Workflow permissions: Read repository contents and packages permissions
  • Disable "Allow GitHub Actions to create and approve pull requests"

• Repository Settings -> Rules -> Rulesets -> main branch ruleset:

  • Target branch: main
  • Require a pull request before merging
  • Require status checks to pass
  • Require branches to be up to date before merging
  • Require conversation resolution before merging
  • Require linear history
  • Block force pushes
  • Block deletions
  • Apply rules to administrators

• Pull request review settings:

  • If a second maintainer is available:
    • Required approvals: 1
    • Dismiss stale pull request approvals when new commits are pushed
    • Require review from Code Owners
    • Require approval of the most recent reviewable push
  • If this is still a solo-maintainer repository:
    • Do not add fake approval requirements that make normal maintenance impossible
    • Keep PR-only flow and required checks enabled
    • Accept that Scorecard Code-Review may remain low until real independent reviews exist

• Required status checks:

  • ci-summary
  • golangci-lint
  • docs-smoke
  • benchmark-smoke
  • govulncheck
  • dependency-review
  • commitlint
  • fuzz

• OpenSSF Best Practices:

  • Register the project when governance, releases, security policy, and contribution workflow are stable.
  • Do not add a badge to README until there is a real badge URL.
  • This PR does not claim Best Practices certification.

Validation

• go mod tidy
• go test ./...
• go test -race ./...
• go vet ./...
• go test ./... -run '^$' -fuzz=Fuzz -fuzztime=10s
• npm ci --prefix tools/commitlint --ignore-scripts --no-audit --fund=false
• tools/commitlint/node_modules/.bin/commitlint --version
• python3 -m pip install --require-hashes --requirement requirements.lock
• python3 bench/scripts/plot_benchmarks.py --help

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 6 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.
• ⚠️ 55 packages with OpenSSF Scorecard issues.

View full job summary