hyperpolymath
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 7 additions & 5 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 12 additions & 7 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎.github/workflows/comprehensive-quality.yml‎
Lines changed: 36 additions & 12 deletions b/‎.github/workflows/comprehensive-quality.yml‎
Lines changed: 36 additions & 12 deletions
diff --git a/‎.github/workflows/generator-generic-ossf-slsa3-publish.yml‎
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/generator-generic-ossf-slsa3-publish.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎.github/workflows/guix-nix-policy.yml‎
Lines changed: 8 additions & 1 deletion b/‎.github/workflows/guix-nix-policy.yml‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎.github/workflows/haskell.yml‎
Lines changed: 7 additions & 6 deletions b/‎.github/workflows/haskell.yml‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎.github/workflows/mirror.yml‎
Lines changed: 9 additions & 2 deletions b/‎.github/workflows/mirror.yml‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎.github/workflows/npm-bun-blocker.yml‎
Lines changed: 8 additions & 1 deletion b/‎.github/workflows/npm-bun-blocker.yml‎
Lines changed: 8 additions & 1 deletion
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: "CodeQL"
 
 on:
@@ -8,16 +9,17 @@ on:
   schedule:
     - cron: '30 1 * * 1'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     timeout-minutes: 360
     permissions:
       security-events: write
-      packages: read
-      actions: read
       contents: read
+      actions: read
 
     strategy:
       fail-fast: false
@@ -32,10 +34,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -45,6 +47,6 @@ jobs:
         echo 'Build step for compiled languages'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
       with:
         category: "/language:${{matrix.language}}"
@@ -1,4 +1,6 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: CodeQL Security Analysis
+
 on:
   push:
     branches: [main, master]
@@ -7,29 +9,32 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
+permissions: read-all
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         language: ['javascript', 'python', 'go', 'java', 'ruby']
     steps:
-      - uses: actions/checkout@v6
-      
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
         continue-on-error: true
-      
+
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         continue-on-error: true
-      
+
       - name: Perform Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         continue-on-error: true
@@ -1,17 +1,23 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Comprehensive Quality Gates
+
 on:
   push:
     branches: [main, master]
   pull_request:
   schedule:
     - cron: '0 5 * * 0'
 
+permissions: read-all
+
 jobs:
   # DEPENDABILITY - Stability and reliability
   dependability:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check test coverage
         run: |
           echo "Checking for test files..."
@@ -29,10 +35,12 @@ jobs:
   # SECURITY - Multi-layer security scanning
   security:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Secret scanning
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3.88.3
         continue-on-error: true
       - name: Dependency vulnerabilities
         run: |
@@ -49,8 +57,10 @@ jobs:
   # INTEROPERABILITY - API and format compatibility
   interoperability:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check API specs
         run: |
           if [ -f "openapi.yaml" ] || [ -f "openapi.json" ]; then
@@ -66,8 +76,10 @@ jobs:
   # VALIDATION - Input/output validation
   validation:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check for validation patterns
         run: |
           VALIDATION=$(grep -rE "validate|sanitize|Schema|Validator" --include="*.rs" --include="*.res" --include="*.ex" . 2>/dev/null | wc -l || echo "0")
@@ -81,7 +93,7 @@ jobs:
       contents: read
       attestations: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Generate SBOM
         run: |
           echo "SBOM generation would run here"
@@ -96,8 +108,10 @@ jobs:
   # VERIFICATION - Formal methods where applicable
   verification:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check SPARK proofs
         run: |
           if find . -name "*.ads" | grep -q .; then
@@ -112,8 +126,10 @@ jobs:
   # FUNCTIONALITY - Feature completeness
   functionality:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check TODOs and FIXMEs
         run: |
           echo "=== Incomplete items ==="
@@ -125,8 +141,10 @@ jobs:
   # PERFORMANCE - Benchmarks and profiling
   performance:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check for benchmarks
         run: |
           BENCHES=$(find . -name "*bench*" -o -name "*perf*" | wc -l)
@@ -141,9 +159,11 @@ jobs:
   # ACCESSIBILITY - A11y compliance
   accessibility:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: hashFiles('**/*.html') != ''
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: HTML accessibility check
         run: |
           echo "Checking for a11y attributes..."
@@ -156,8 +176,10 @@ jobs:
   # LICENSE COMPLIANCE
   license:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check license files
         run: |
           if [ -f "LICENSE" ] || [ -f "LICENSE.txt" ] || [ -f "LICENSE.md" ]; then
@@ -174,8 +196,10 @@ jobs:
   # DOCUMENTATION QUALITY
   documentation:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check docs completeness
         run: |
           DOCS=""
 
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support
@@ -11,19 +12,24 @@
 # For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
 
 name: SLSA generic generator
+
 on:
   workflow_dispatch:
   release:
     types: [created]
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       digests: ${{ steps.hash.outputs.digests }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # ========================================================
       #
 
@@ -1,10 +1,17 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Guix/Nix Package Policy
+
 on: [push, pull_request]
+
+permissions: read-all
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Enforce Guix primary / Nix fallback
         run: |
           # Check for package manager files
 
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Haskell CI
 
 on:
@@ -6,23 +7,23 @@ on:
   pull_request:
     branches: [ "main" ]
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
-    - uses: actions/checkout@v6
-    - uses: actions/setup-haskell@v1
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-haskell@28c8ff1d6cbeaed15ce310b1952dc19352a0a07d # v1.1.5
       with:
         ghc-version: '8.10.3'
         cabal-version: '3.2'
 
     - name: Cache
-      uses: actions/cache@v5
+      uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
       env:
         cache-name: cache-cabal
       with:
 
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: Mirror to GitLab and Bitbucket
 
 on:
@@ -7,14 +8,18 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   mirror-gitlab:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: ${{ vars.GITLAB_MIRROR_ENABLED == 'true' }}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
@@ -29,11 +34,13 @@ jobs:
 
   mirror-bitbucket:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: ${{ vars.BITBUCKET_MIRROR_ENABLED == 'true' }}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
 
@@ -1,10 +1,17 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 name: NPM/Bun Blocker
+
 on: [push, pull_request]
+
+permissions: read-all
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Block npm/bun
         run: |
           if [ -f "package-lock.json" ] || [ -f "bun.lockb" ] || [ -f ".npmrc" ]; then