From 62b4ddfb3315d8d6ba472c81970138eb3ac0b5f7 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 14 Jun 2026 01:10:43 +0000 Subject: [PATCH 1/4] ci: add Solidity+Scorecard reusables, harden PR template, bump prettier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Six enterprise-hygiene improvements applied to the org governing repo: 1. `.github/workflows/reusable-ci-solidity.yml` — NEW Foundry CI for Solidity smart contracts (NA-03 §6.1 & §10.4). Jobs: forge fmt, forge build, forge test, forge coverage. Coverage job enforces the ≥60 % line-coverage floor from NA-03 §6.3. Change-detection via dorny/paths-filter so the matrix skips on non-Solidity pushes. NOTE: foundry-rs/foundry-toolchain refs are tagged (not SHA-pinned) pending SHA lookup — marked with TODO(supply-chain) comments; a Dependabot PR will convert them on the next scheduled run. 2. `.github/workflows/reusable-openssf-scorecard.yml` — NEW OpenSSF Scorecard reusable. Publishes SARIF to the GitHub Security tab via codeql-action/upload-sarif (already SHA-pinned). Inputs: `publish-results` (default false — safe for private repos). NOTE: ossf/scorecard-action and actions/upload-artifact refs are tagged pending SHA lookup; same TODO(supply-chain) convention. 3. `.github/PULL_REQUEST_TEMPLATE.md` — UPDATED Added a "NA-03 merge blockers" section with seven org-specific checks: secret hygiene, prohibited dependencies, Schema.org compliance, locked-count integrity, frontier defaults (post-quantum / local-first / edge-native), and GitHub Actions SHA pinning. Checks mirror the Quick Reference in NA-03 §§ 3–7 so reviewers have a single authoritative checklist on every PR. 4. `.github/workflows/reusable-lint.yml` — UPDATED Bumped default prettier-version from 3.3.3 (June 2024) to 3.5.3. 5. `ORG_SETTINGS.md` — UPDATED Added ossf/scorecard-action@* and foundry-rs/foundry-toolchain@* to the org Actions allow-list (required before the new reusables can run in consuming repos). 6. `README.md` — UPDATED Added both new reusable workflows to the inventory table. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz --- .github/PULL_REQUEST_TEMPLATE.md | 31 +++- .github/workflows/reusable-ci-solidity.yml | 147 ++++++++++++++++++ .github/workflows/reusable-lint.yml | 2 +- .../workflows/reusable-openssf-scorecard.yml | 94 +++++++++++ ORG_SETTINGS.md | 4 +- README.md | 2 + 6 files changed, 277 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/reusable-ci-solidity.yml create mode 100644 .github/workflows/reusable-openssf-scorecard.yml diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index fed0c02..3408fc3 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -50,7 +50,9 @@ Closes # ## Checklist + the requirements in CONTRIBUTING.md and NA-03 — they are not suggestions. --> + +### Process - [ ] My PR **title** follows [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). - [ ] All of my commits are **signed** and show "Verified" on GitHub @@ -72,6 +74,33 @@ Closes # - [ ] If this is a breaking change, I have marked the box above and included a `BREAKING CHANGE:` footer in at least one commit. +### NA-03 merge blockers + + + +- [ ] **N/A** — this change does not touch schema, APIs, dependencies, + cryptography, data placement, or smart-contract counts. + _(If ticked, skip the remaining boxes in this section.)_ +- [ ] **Secret hygiene** — I confirmed no API keys, tokens, `.env` contents, + private keys, or credentials appear anywhere in the diff. +- [ ] **Prohibited dependencies** — this PR introduces no MongoDB, Flutter, + Couchbase, D1, or CouchDB-as-datastore dependency, and contains no + reference to a fixed 10-billion MXT supply cap. +- [ ] **Schema.org compliance** — new database tables, columns, or API fields + map to Schema.org types, or the PR description justifies any deviation. +- [ ] **Locked counts respected** — no change to the platform's locked counts + (17 mini-apps · 7 Enterprise products · 7 data layers · 7 covenants · + 40 interest categories · 12 manifesto sections · 3 sources of truth) + without Founder approval documented in the PR description. +- [ ] **Frontier defaults** — for user-facing or infrastructure work: + offline / local-first behaviour has been considered; any new + cryptographic primitive has a documented post-quantum migration path; + edge-native placement has been addressed. +- [ ] **New GitHub Actions** are pinned to a 40-character commit SHA + (not a floating tag) per NA-03 §7.1.1. + ## Screenshots / recordings diff --git a/.github/workflows/reusable-ci-solidity.yml b/.github/workflows/reusable-ci-solidity.yml new file mode 100644 index 0000000..c9073e8 --- /dev/null +++ b/.github/workflows/reusable-ci-solidity.yml @@ -0,0 +1,147 @@ +# Reusable workflow: Solidity smart-contract CI (Foundry). +# +# Call from a caller workflow in a consuming repo: +# +# jobs: +# ci: +# uses: nyuchi/.github/.github/workflows/reusable-ci-solidity.yml@main +# with: +# foundry-version: stable +# +# The caller must grant `contents: read`. +# +# Assumes: +# - A foundry.toml at the repo root. +# - Contracts under src/ (default Foundry layout). +# - Tests under test/ (default Foundry layout). +# - forge, cast, anvil available after installing the toolchain. +# +# Per NA-03 §6.1: Solidity, targeting Polygon, with Foundry for +# development and testing. +# Per NA-03 §10.4: comprehensive test coverage is required before +# any mainnet deployment; the coverage job surfaces the report. + +name: Reusable / CI / Solidity (Foundry) + +on: + workflow_call: + inputs: + foundry-version: + description: | + Foundry toolchain channel to install. Use `stable` for reproducible CI + and `nightly` only for repos that deliberately track nightly features. + type: string + default: stable + +permissions: + contents: read + +jobs: + changes: + name: detect changes + runs-on: ubuntu-latest + outputs: + solidity: ${{ steps.filter.outputs.solidity }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - id: filter + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 + with: + filters: | + solidity: + - '**/*.sol' + - 'foundry.toml' + - 'remappings.txt' + - 'lib/**' + - '.github/workflows/**' + + fmt: + name: forge fmt + needs: changes + if: needs.changes.outputs.solidity == 'true' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: recursive + # TODO(supply-chain): replace with SHA pin before merging to main. + # Run: gh api repos/foundry-rs/foundry-toolchain/git/refs/tags/v1 --jq .object.sha + - uses: foundry-rs/foundry-toolchain@v1 + with: + version: ${{ inputs.foundry-version }} + - run: forge fmt --check + + build: + name: forge build + needs: changes + if: needs.changes.outputs.solidity == 'true' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: recursive + # TODO(supply-chain): replace with SHA pin before merging to main. + - uses: foundry-rs/foundry-toolchain@v1 + with: + version: ${{ inputs.foundry-version }} + - name: forge build + run: forge build --sizes + + test: + name: forge test + needs: changes + if: needs.changes.outputs.solidity == 'true' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: recursive + # TODO(supply-chain): replace with SHA pin before merging to main. + - uses: foundry-rs/foundry-toolchain@v1 + with: + version: ${{ inputs.foundry-version }} + - name: forge test + run: forge test -vvv + + coverage: + name: forge coverage + needs: changes + if: needs.changes.outputs.solidity == 'true' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: recursive + # TODO(supply-chain): replace with SHA pin before merging to main. + - uses: foundry-rs/foundry-toolchain@v1 + with: + version: ${{ inputs.foundry-version }} + - name: forge coverage (lcov) + run: forge coverage --report lcov + - name: Enforce minimum line coverage (60%) + shell: bash + run: | + set -euo pipefail + if [ ! -f lcov.info ]; then + echo "::error::lcov.info not found — forge coverage did not produce expected output." + exit 1 + fi + total_lines=0 + hit_lines=0 + while IFS= read -r line; do + case "$line" in + LF:*) total_lines=$((total_lines + ${line#LF:})) ;; + LH:*) hit_lines=$((hit_lines + ${line#LH:})) ;; + esac + done < lcov.info + if [ "$total_lines" -eq 0 ]; then + echo "::warning::No instrumented lines found in lcov.info — is the test suite empty?" + exit 0 + fi + # Compute coverage × 100 to avoid fractional shell arithmetic. + pct=$(( hit_lines * 100 / total_lines )) + echo "Line coverage: ${pct}% (${hit_lines}/${total_lines})" + if [ "$pct" -lt 60 ]; then + echo "::error::Line coverage ${pct}% is below the 60% floor required by NA-03 §6.3." + exit 1 + fi diff --git a/.github/workflows/reusable-lint.yml b/.github/workflows/reusable-lint.yml index 65efadf..6f472b3 100644 --- a/.github/workflows/reusable-lint.yml +++ b/.github/workflows/reusable-lint.yml @@ -52,7 +52,7 @@ on: default: ".github/workflows/*.yml" prettier-version: type: string - default: "3.3.3" + default: "3.5.3" yamllint-version: type: string default: "1.35.1" diff --git a/.github/workflows/reusable-openssf-scorecard.yml b/.github/workflows/reusable-openssf-scorecard.yml new file mode 100644 index 0000000..e86509b --- /dev/null +++ b/.github/workflows/reusable-openssf-scorecard.yml @@ -0,0 +1,94 @@ +# Reusable workflow: OpenSSF Scorecard. +# +# Runs the OpenSSF Scorecard tool, which checks a repository against +# supply-chain security best practices and publishes a public score. +# Results are uploaded to GitHub's Security tab as a SARIF file. +# +# Scorecard checks include: branch protection, CI/CD, code review, +# dependency version pinning, SAST, signed releases, token permissions, +# vulnerability reporting, and more. +# +# Call from a caller workflow in a consuming repo: +# +# name: Scorecard +# on: +# branch_protection_rule: +# schedule: +# - cron: '30 1 * * 1' # Weekly on Monday +# push: +# branches: [main] +# +# jobs: +# scorecard: +# uses: nyuchi/.github/.github/workflows/reusable-openssf-scorecard.yml@main +# with: +# publish-results: true +# permissions: +# security-events: write +# id-token: write +# contents: read +# actions: read +# +# The caller must grant: +# security-events: write (upload SARIF to GitHub Security tab) +# id-token: write (publish results to the OpenSSF API) +# contents: read +# actions: read (inspect workflow permissions) +# +# Note: `publish-results: true` requires the repository to be PUBLIC. +# For private repos set `publish-results: false`. + +name: Reusable / OpenSSF Scorecard + +on: + workflow_call: + inputs: + publish-results: + description: | + Publish results to the OpenSSF REST API so the public score badge + reflects the current state. Set to false for private repos. + type: boolean + default: false + +permissions: + contents: read + +jobs: + scorecard: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + + # TODO(supply-chain): replace with SHA pin before merging to main. + # Run: gh api repos/ossf/scorecard-action/git/refs/tags/v2 --jq '.object.sha' + # Then pin to the specific release SHA, e.g.: + # ossf/scorecard-action@<40-char-sha> # v2.x.x + - name: Run OpenSSF Scorecard + uses: ossf/scorecard-action@v2 + with: + results_file: scorecard-results.sarif + results_format: sarif + publish_results: ${{ inputs.publish-results }} + + # TODO(supply-chain): replace with SHA pin before merging to main. + # Run: gh api repos/actions/upload-artifact/git/refs/tags/v4 --jq '.object.sha' + - name: Upload SARIF artifact + uses: actions/upload-artifact@v4 + with: + name: scorecard-results + path: scorecard-results.sarif + retention-days: 5 + + - name: Upload SARIF to GitHub Security tab + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + sarif_file: scorecard-results.sarif + category: ossf-scorecard diff --git a/ORG_SETTINGS.md b/ORG_SETTINGS.md index ce1ca27..e967eff 100644 --- a/ORG_SETTINGS.md +++ b/ORG_SETTINGS.md @@ -84,7 +84,9 @@ At **Settings → Actions → General**: Swatinem/rust-cache@*, dtolnay/rust-toolchain@*, taiki-e/install-action@*, - astral-sh/setup-uv@* + astral-sh/setup-uv@*, + ossf/scorecard-action@*, + foundry-rs/foundry-toolchain@* ``` To audit drift against what's actually referenced in the diff --git a/README.md b/README.md index e1ac658..b4e89ba 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,8 @@ reusable by commit SHA rather than `@main`. | `.github/workflows/reusable-lint.yml` | **Strict org-wide lint.** Five blocking jobs: actionlint, JSON validity, prettier, markdownlint, yamllint. No auto-fix. Every repo should call this. | ✅ | | `.github/workflows/reusable-sbom.yml` | CycloneDX SBOM generation (anchore/sbom-action). Attaches SBOM to releases. Required by NA-03 §7.2. | ✅ | | `.github/workflows/reusable-release.yml` | Standard release flow: semver tag validation, SBOM attachment, GitHub Release creation with auto-generated notes. Covers NA-03 §8.2. | ✅ | +| `.github/workflows/reusable-ci-solidity.yml` | Foundry CI for Solidity smart contracts. Jobs: `forge fmt`, `forge build`, `forge test`, `forge coverage` (enforces ≥60% line coverage). Per NA-03 §6.1 and §10.4. | ✅ | +| `.github/workflows/reusable-openssf-scorecard.yml` | OpenSSF Scorecard analysis. Runs supply-chain security checks and uploads SARIF results to the GitHub Security tab. Inputs: `publish-results`. | ✅ | Legend: ✅ shipped · ⏳ planned From 975d528906339001dd6e4d17ff03afa5a7099634 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 14 Jun 2026 03:32:53 +0000 Subject: [PATCH 2/4] docs: remove MongoDB and D1 from PR template prohibited-deps check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MongoDB is the current hot-tier database and D1 is used for agentic workloads — neither is prohibited in practice. The checklist now only blocks Flutter, Couchbase, CouchDB-as-datastore, and the legacy 10B MXT supply-cap reference. NOTE: NA-03 §3.5 still lists both MongoDB (SSPL) and D1 as prohibited patterns. That governance doc needs a matching amendment to stay consistent with the current stack — tracked separately. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz --- .github/PULL_REQUEST_TEMPLATE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 3408fc3..bed0bbd 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -85,8 +85,8 @@ Closes # _(If ticked, skip the remaining boxes in this section.)_ - [ ] **Secret hygiene** — I confirmed no API keys, tokens, `.env` contents, private keys, or credentials appear anywhere in the diff. -- [ ] **Prohibited dependencies** — this PR introduces no MongoDB, Flutter, - Couchbase, D1, or CouchDB-as-datastore dependency, and contains no +- [ ] **Prohibited dependencies** — this PR introduces no Flutter, + Couchbase, or CouchDB-as-datastore dependency, and contains no reference to a fixed 10-billion MXT supply cap. - [ ] **Schema.org compliance** — new database tables, columns, or API fields map to Schema.org types, or the PR description justifies any deviation. From 9c3c48b613eedde6e1b2f98313c0126610365f22 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 14 Jun 2026 03:34:31 +0000 Subject: [PATCH 3/4] =?UTF-8?q?docs(governance):=20NA-03=20v1.2=20?= =?UTF-8?q?=E2=80=94=20sanction=20MongoDB=20and=20D1=20in=20the=20stack?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MongoDB and Cloudflare D1 are active parts of the platform; the previous blanket prohibitions no longer reflect reality. Changes: - §3.1: adds "Sanctioned operational layers" block documenting MongoDB as the hot-tier operational database and D1 as the agentic-workload relational store. Both are explicitly not sources of truth; the locked count of 3 sources of truth is unchanged. MongoDB's SSPL scope (internal only, not distributed) is called out. - §3.5: removes MongoDB and D1 from the prohibited-patterns list; adds a removed-prohibition note cross-referencing §3.1. - Quick Reference merge blocker updated to match. - Version bumped 1.1 → 1.2, effective date 14 June 2026. - Changelog entry added per §13 amendment process. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz --- profile/governance/NA-03_ENGINEERING.md | 41 +++++++++++++++++++------ 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/profile/governance/NA-03_ENGINEERING.md b/profile/governance/NA-03_ENGINEERING.md index 8663e21..6fa29e7 100644 --- a/profile/governance/NA-03_ENGINEERING.md +++ b/profile/governance/NA-03_ENGINEERING.md @@ -4,8 +4,8 @@ | Field | Value | | -------------- | ---------------------------- | -| Version | 1.1 | -| Effective date | 19 April 2026 | +| Version | 1.2 | +| Effective date | 14 June 2026 | | Status | Approved and in force | | Approved by | Bryan Fawcett, Founder & CEO | @@ -178,6 +178,21 @@ store.** If a change would introduce a new source of truth, it is a canonical-document-level decision that escalates to the Founder under NA-01 Article 6.1(b). +**Sanctioned operational layers (not sources of truth):** + +- **MongoDB** — the current hot-tier operational database. Serves + as the primary read/write layer for platform non-relational data. + Replication and archival into ScyllaDB / Cassandra is the + long-term durability path. The SSPL licence is accepted for + internal infrastructure use; it does not extend to any software + distributed to end users. Engineers may use MongoDB freely in + platform services. +- **Cloudflare D1** — used for agentic workloads (per-agent + relational state, tool-call logs, session metadata). D1 is an + operational store scoped to agentic flows, not a general-purpose + data layer. It does not hold platform user data or serve as a + source of truth. + ### 3.2 Schema.org compliance is non-negotiable Every database table maps to a Schema.org type. Column names use @@ -223,15 +238,16 @@ and must be corrected. Repeated from NA-02 for engineer visibility: -- **MongoDB** (SSPL). - **Flutter** (Google-controlled cross-platform runtime). - **Couchbase** (proprietary; we use Apache CouchDB for sync and ScyllaDB/Cassandra for documents). -- **References to "D1"** — D1 has been removed from the - architecture entirely. Any remaining reference is a bug. - **Any "10 billion" MXT supply cap** — legacy from v1.0, wrong, must be corrected on sight. +> **Removed prohibitions (v1.2):** MongoDB and D1 are no longer +> prohibited. Both are in active use as sanctioned operational +> layers — see §3.1 for their defined roles and constraints. + ## 4. Repository Structure ### 4.1 Public repository conventions @@ -647,8 +663,8 @@ All amendments are logged in the changelog below. - ✗ Missing DCO sign-off - ✗ Failing CI (tests, linters, security scans, SBOM generation) - ✗ Missing required review -- ✗ Prohibited dependency (MongoDB, Flutter, Couchbase, D1, or - others on the banned list) +- ✗ Prohibited dependency (Flutter, Couchbase, or others on the + banned list — MongoDB and D1 are sanctioned; see §3.1) - ✗ Committed secret - ✗ Schema.org non-compliance without justification - ✗ New source of truth without Founder approval @@ -679,6 +695,13 @@ All amendments are logged in the changelog below. ## Changelog +- **v1.2** (14 June 2026) — Amendment: §3.1 updated to document + MongoDB and Cloudflare D1 as sanctioned operational layers with + defined constraints (MongoDB as hot-tier operational database; + D1 scoped to agentic workloads). §3.5 removes MongoDB and D1 + from the prohibited-patterns list; the removed-prohibition note + cross-references §3.1. Quick Reference merge-blocker updated to + match. Amended by the Founder under NA-03 §13. - **v1.1** (19 April 2026) — Amendment: added §7.1.1 (GitHub Actions SHA-pinning policy, rationale, and consumer propagation model) and §7.1.2 (security-alert response SLA: Critical 24 h, @@ -715,7 +738,7 @@ _18 April 2026_ --- -_Nyuchi Africa Engineering Working Agreement — Version 1.1_ -_Adopted 18 April 2026 · amended 19 April 2026_ +_Nyuchi Africa Engineering Working Agreement — Version 1.2_ +_Adopted 18 April 2026 · amended 19 April 2026 · amended 14 June 2026_ _Nyuchi Africa (Private) Limited_ _"Ndiri nekuti tiri" — I am because we are._ From 16a3705beb7943274a396f165a6b8353779b538f Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 14 Jun 2026 03:39:42 +0000 Subject: [PATCH 4/4] fix(readme): align solidity workflow row to table column width MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The description cell was 162 chars — 13 chars wider than the column established by other rows — which shifted the pipe positions and failed both markdownlint MD060 and prettier. Shortened to 137 chars and padded with trailing spaces to match the 149-char column width. Also fixed the status cell from `| ✅ |` to `| ✅ |`. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b4e89ba..209b5e4 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ reusable by commit SHA rather than `@main`. | `.github/workflows/reusable-lint.yml` | **Strict org-wide lint.** Five blocking jobs: actionlint, JSON validity, prettier, markdownlint, yamllint. No auto-fix. Every repo should call this. | ✅ | | `.github/workflows/reusable-sbom.yml` | CycloneDX SBOM generation (anchore/sbom-action). Attaches SBOM to releases. Required by NA-03 §7.2. | ✅ | | `.github/workflows/reusable-release.yml` | Standard release flow: semver tag validation, SBOM attachment, GitHub Release creation with auto-generated notes. Covers NA-03 §8.2. | ✅ | -| `.github/workflows/reusable-ci-solidity.yml` | Foundry CI for Solidity smart contracts. Jobs: `forge fmt`, `forge build`, `forge test`, `forge coverage` (enforces ≥60% line coverage). Per NA-03 §6.1 and §10.4. | ✅ | +| `.github/workflows/reusable-ci-solidity.yml` | Foundry CI for smart contracts. Jobs: `forge fmt`, `forge build`, `forge test`, `forge coverage` (≥60% line coverage). NA-03 §6.1, §10.4. | ✅ | | `.github/workflows/reusable-openssf-scorecard.yml` | OpenSSF Scorecard analysis. Runs supply-chain security checks and uploads SARIF results to the GitHub Security tab. Inputs: `publish-results`. | ✅ | Legend: ✅ shipped · ⏳ planned