hyperpolymath · hyperpolymath · Mar 20, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
@@ -1,19 +1,19 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: BoJ Server Build Trigger
-
 on:
   push:
-    branches: [ main, master ]
+    branches: [main, master]
   workflow_dispatch:
-
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Trigger BoJ Server (Casket/ssg-mcp)
         run: |
           # Send a secure trigger to boj-server to build this repository
           curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke"             -H "Content-Type: application/json"             -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"}
         continue-on-error: true
+permissions:
+  contents: read
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -9,7 +9,8 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analyze:

diff --git a/.github/workflows/elixir-ci.yml b/.github/workflows/elixir-ci.yml
@@ -1,15 +1,18 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
-permissions: read-all
+permissions:
+  contents: read
 
 name: Elixir CI
 on: [push, pull_request]
-npermissions: read-all
+npermissions:
+  contents: read
 
 
 jobs:
   test:
     runs-on: ubuntu-latest
-npermissions: read-all
+npermissions:
+  contents: read
 
     env:
       MIX_ENV: test
@@ -18,10 +21,12 @@ npermissions: read-all
       - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1
         with:
           otp-version: '26'
-npermissions: read-all
+npermissions:
+  contents: read
 
           elixir-version: '1.15'
-npermissions: read-all
+npermissions:
+  contents: read
 
 
       - name: Cache deps

diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
@@ -11,7 +11,8 @@
 # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
 # For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
 
-permissions: read-all
+permissions:
+  contents: read
 
 name: SLSA generic generator
 on:

diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml
@@ -2,7 +2,8 @@
 name: Guix/Nix Package Policy
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:

diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
@@ -11,7 +11,8 @@ on:
     - cron: '0 0 * * 0'  # Weekly on Sunday
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   scan:

diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
@@ -7,7 +7,8 @@ on:
     branches: [main]
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   mirror-gitlab:

diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml
@@ -2,7 +2,8 @@
 name: NPM/Bun Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:

diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -3,7 +3,8 @@ name: Code Quality
 on: [push, pull_request]
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   lint:

diff --git a/.github/workflows/rescript-deno-ci.yml b/.github/workflows/rescript-deno-ci.yml
@@ -1,22 +1,26 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
-permissions: read-all
+permissions:
+  contents: read
 
 name: ReScript/Deno CI
 on: [push, pull_request]
-npermissions: read-all
+npermissions:
+  contents: read
 
 
 jobs:
   build:
     runs-on: ubuntu-latest
-npermissions: read-all
+npermissions:
+  contents: read
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2
         with:
           deno-version: v1.x
-npermissions: read-all
+npermissions:
+  contents: read
 
 
       - name: Deno lint
@@ -40,7 +44,8 @@ npermissions: read-all
 
   security:
     runs-on: ubuntu-latest
-npermissions: read-all
+npermissions:
+  contents: read
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml
@@ -14,7 +14,8 @@ on:
     branches: [main, master, develop]
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   antipattern-check:

diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
@@ -9,7 +9,8 @@ on:
     - cron: '0 6 * * 1'  # Weekly on Monday
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   scorecard:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -7,7 +7,8 @@ on:
     - cron: '0 4 * * *'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:

diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
@@ -7,7 +7,8 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   trufflehog:

diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml
@@ -2,7 +2,8 @@
 name: Security Policy
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:

diff --git a/.github/workflows/trustfile.yml b/.github/workflows/trustfile.yml
@@ -14,7 +14,8 @@ on:
     paths:
       - 'bofig.trustfile.a2ml'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   validate:

diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml
@@ -2,7 +2,8 @@
 name: TypeScript/JavaScript Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:

diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml
@@ -15,7 +15,8 @@ on:
   workflow_dispatch:
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   validate:

diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
@@ -12,7 +12,8 @@ on:
       - '.github/workflows/**'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   lint-workflows:
@@ -53,7 +54,8 @@ jobs:
             fi
           done
           if [ $failed -eq 1 ]; then
-            echo "Add 'permissions: read-all' at workflow level"
+            echo "Add 'permissions:
+  contents: read' at workflow level"
             exit 1
           fi
           echo "All workflows have permissions declared"
@@ -63,7 +65,7 @@ jobs:
           echo "=== Checking Action Pinning ==="
           # Find any uses: lines that don't have @SHA format
           # Pattern: uses: owner/repo@<40-char-hex>
-          unpinned=$(grep -rn "uses:" .github/workflows/ | \
+          unpinned=$(grep -rnE "^[[:space:]]+uses:" .github/workflows/ | \
             grep -v "@[a-f0-9]\{40\}" | \
             grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true)
 

diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt
@@ -0,0 +1 @@
+Scorecard requirement placeholder