ci: deploy missing standard workflows (5 added)

hyperpolymath · claude · hyperpolymath · commit 2f3d573a9e8e · 2026-03-16T02:22:32.000Z
Added from rsr-template-repo: standardizing CI/CD across all repos.

Part of global TODO cleanup (2026-03-16).

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/instant-sync.yml b/.github/workflows/instant-sync.yml
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Instant Forge Sync - Triggers propagation to all forges on push/release
+name: Instant Sync
+
+on:
+  push:
+    branches: [main, master]
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Propagation
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
+        with:
+          token: ${{ secrets.FARM_DISPATCH_TOKEN }}
+          repository: hyperpolymath/.git-private-farm
+          event-type: propagate
+          client-payload: |-
+            {
+              "repo": "${{ github.event.repository.name }}",
+              "ref": "${{ github.ref }}",
+              "sha": "${{ github.sha }}",
+              "forges": ""
+            }
+
+      - name: Confirm
+        run: echo "::notice::Propagation triggered for ${{ github.event.repository.name }}"
diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: NPM/Bun Blocker
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Block npm/bun
+        run: |
+          if [ -f "package-lock.json" ] || [ -f "bun.lockb" ] || [ -f ".npmrc" ]; then
+            echo "❌ npm/bun artifacts detected. Use Deno instead."
+            exit 1
+          fi
+          echo "✅ No npm/bun violations"
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
@@ -0,0 +1,72 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Prevention workflow - runs OpenSSF Scorecard and fails on low scores
+name: OpenSSF Scorecard Enforcer
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write  # For OIDC
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v3
+        with:
+          sarif_file: results.sarif
+
+      - name: Check minimum score
+        run: |
+          # Parse score from results
+          SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0")
+
+          echo "OpenSSF Scorecard Score: $SCORE"
+
+          # Minimum acceptable score (0-10 scale)
+          MIN_SCORE=5
+
+          if [ "$(echo "$SCORE < $MIN_SCORE" | bc -l)" = "1" ]; then
+            echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE"
+            exit 1
+          fi
+
+  # Check specific high-priority items
+  check-critical:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Check SECURITY.md exists
+        run: |
+          if [ ! -f "SECURITY.md" ]; then
+            echo "::error::SECURITY.md is required"
+            exit 1
+          fi
+
+      - name: Check for pinned dependencies
+        run: |
+          # Check workflows for unpinned actions
+          unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
+          if [ -n "$unpinned" ]; then
+            echo "::warning::Found unpinned actions:"
+            echo "$unpinned"
+          fi
diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: TypeScript/JavaScript Blocker
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Block new TypeScript/JavaScript
+        run: |
+          NEW_TS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(ts|tsx)$' | grep -v '\.gen\.' || true)
+          NEW_JS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(js|jsx)$' | grep -v '\.res\.js$' | grep -v '\.gen\.' | grep -v 'node_modules' || true)
+          
+          if [ -n "$NEW_TS" ] || [ -n "$NEW_JS" ]; then
+            echo "❌ New TS/JS files detected. Use ReScript instead."
+            [ -n "$NEW_TS" ] && echo "$NEW_TS"
+            [ -n "$NEW_JS" ] && echo "$NEW_JS"
+            exit 1
+          fi
+          echo "✅ ReScript policy enforced"
diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml
@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: Well-Known Standards (RFC 9116 + RSR)
+on:
+  push:
+    branches: [main, master]
+    paths:
+      - '.well-known/**'
+      - 'security.txt'
+  pull_request:
+    paths:
+      - '.well-known/**'
+  schedule:
+    # Weekly expiry check
+    - cron: '0 9 * * *'
+  workflow_dispatch:
+
+
+permissions: read-all
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      
+      - name: RFC 9116 security.txt validation
+        run: |
+          SECTXT=""
+          [ -f ".well-known/security.txt" ] && SECTXT=".well-known/security.txt"
+          [ -f "security.txt" ] && SECTXT="security.txt"
+          
+          if [ -z "$SECTXT" ]; then
+            echo "::warning::No security.txt found. See https://github.com/{{OWNER}}/well-known-ecosystem"
+            exit 0
+          fi
+          
+          # Required: Contact
+          grep -q "^Contact:" "$SECTXT" || { echo "::error::Missing Contact field"; exit 1; }
+          
+          # Required: Expires
+          if ! grep -q "^Expires:" "$SECTXT"; then
+            echo "::error::Missing Expires field"
+            exit 1
+          fi
+          
+          # Check expiry
+          EXPIRES=$(grep "^Expires:" "$SECTXT" | cut -d: -f2- | tr -d ' ' | head -1)
+          if date -d "$EXPIRES" > /dev/null 2>&1; then
+            DAYS=$(( ($(date -d "$EXPIRES" +%s) - $(date +%s)) / 86400 ))
+            if [ $DAYS -lt 0 ]; then
+              echo "::error::security.txt EXPIRED"
+              exit 1
+            elif [ $DAYS -lt 30 ]; then
+              echo "::warning::security.txt expires in $DAYS days"
+            else
+              echo "✅ security.txt valid ($DAYS days)"
+            fi
+          fi
+
+      - name: RSR well-known compliance
+        run: |
+          MISSING=""
+          [ ! -f ".well-known/security.txt" ] && [ ! -f "security.txt" ] && MISSING="$MISSING security.txt"
+          [ ! -f ".well-known/ai.txt" ] && MISSING="$MISSING ai.txt"
+          [ ! -f ".well-known/humans.txt" ] && MISSING="$MISSING humans.txt"
+          
+          if [ -n "$MISSING" ]; then
+            echo "::warning::Missing RSR recommended files:$MISSING"
+            echo "Reference: https://github.com/{{OWNER}}/well-known-ecosystem/.well-known/"
+          else
+            echo "✅ RSR well-known compliant"
+          fi
+
+      - name: Mixed content check
+        run: |
+          MIXED=$(grep -rE 'src="http://|href="http://' --include="*.html" --include="*.htm" . 2>/dev/null | grep -vE 'localhost|127\.0\.0\.1|example\.com' | head -5 || true)
+          if [ -n "$MIXED" ]; then
+            echo "::error::Mixed content (HTTP in HTML)"
+            echo "$MIXED"
+            exit 1
+          fi
+          echo "✅ No mixed content"
+
+      - name: DNS security records check
+        if: hashFiles('CNAME') != ''
+        run: |
+          DOMAIN=$(cat CNAME 2>/dev/null | tr -d '\n')
+          if [ -n "$DOMAIN" ]; then
+            echo "Checking DNS for $DOMAIN..."
+            # CAA record
+            dig +short CAA "$DOMAIN" | grep -q "issue" && echo "✅ CAA record" || echo "::warning::No CAA record"
+            # DNSSEC
+            dig +dnssec +short "$DOMAIN" | grep -q "RRSIG" && echo "✅ DNSSEC" || echo "::warning::No DNSSEC"
+          fi
