ci: harden workflows with least-privilege permissions, CodeQL, and actionlint

Tighten the CI/CD supply chain to close OpenSSF Scorecard gaps:

- Set a least-privilege top-level `permissions: contents: read` on the
  backport-fixes, ci, cut-release, dependency-review, publish-pypi, and
  release workflows; jobs re-grant only the write scopes they need.
- Add a CodeQL workflow running the security-extended query suite on the
  Python sources (SAST) for pushes, pull requests, and a weekly schedule.
  The analyze job is gated on public-repo visibility, since SARIF upload
  to code scanning requires public repos.
- Add an actionlint workflow that lints `.github/workflows/**` at PR time.
  The actionlint installer is fetched by commit SHA and sha256-verified
  before it runs, and shellcheck is wired in explicitly.
- Replace the fragile `grep`-based artifact version check in publish-pypi
  with a `compgen -G` glob match so version verification no longer depends
  on regex-escaping the version string.

Author: muralx

.github/workflows/backport-fixes.yml

@@ -31,6 +31,10 @@ concurrency:
   group: backport-${{ inputs.fromBranch }}-to-${{ inputs.toBranch }}
   cancel-in-progress: false
 
+# Least-privilege default; the job re-grants the write scopes it needs.
+permissions:
+  contents: read
+
 jobs:
   backport:
     runs-on: ubuntu-latest

.github/workflows/ci.yml

@@ -6,6 +6,10 @@ on:
     branches:
       - main
 
+# Least-privilege default; this workflow only reads the repo.
+permissions:
+  contents: read
+
 jobs:
   quality:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -0,0 +1,57 @@
+name: CodeQL
+
+# Static application security testing (SAST) for the Python sources across
+# all workspace packages. Runs CodeQL's security-extended query suite on
+# pull requests, pushes to main, and a weekly schedule, uploading results
+# to the GitHub Security tab.
+#
+# Closes the OpenSSF Scorecard "SAST" gap: CodeQL statically analyzes the
+# first-party source, complementing the dependency-vulnerability scanning
+# (pip-audit) that runs separately.
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    # Wednesdays 06:00 UTC
+    - cron: "0 6 * * 3"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (python)
+    # Code scanning (SARIF upload) requires GitHub Code Security, which is
+    # only available on public repos. Gate on visibility so the job only
+    # runs when the repo is public.
+    if: ${{ github.event.repository.visibility == 'public' }}
+    runs-on: ubuntu-latest
+    permissions:
+      # Required for CodeQL to upload its SARIF results to code scanning.
+      security-events: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # build-mode: none — CodeQL analyzes Python sources directly, no
+      # compilation step required.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          languages: python
+          build-mode: none
+          queries: security-extended
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          category: "/language:python"

.github/workflows/cut-release.yml

@@ -41,6 +41,10 @@ concurrency:
   group: cut-release
   cancel-in-progress: false
 
+# Least-privilege default; the job re-grants the write scope it needs.
+permissions:
+  contents: read
+
 jobs:
   cut:
     runs-on: ubuntu-latest

.github/workflows/dependency-review.yml

@@ -3,6 +3,10 @@ name: Dependency Review
 on:
   pull_request:
 
+# Least-privilege default; the job re-grants what it needs.
+permissions:
+  contents: read
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

.github/workflows/publish-pypi.yml

@@ -18,6 +18,10 @@ concurrency:
   group: publish-pypi-${{ github.ref }}
   cancel-in-progress: false
 
+# Least-privilege default; the job re-grants the scopes it needs (OIDC).
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -78,7 +82,7 @@ jobs:
         run: |
           v="${{ steps.version.outputs.version }}"
           for dir in dist authplane-mcp/dist authplane-fastmcp/dist; do
-            if ! ls "$dir" | grep -q "${v//./\\.}"; then
+            if ! compgen -G "$dir/*$v*" > /dev/null; then
               echo "::error::Built artifacts in ${dir} do not contain version ${v}. hatch-vcs likely resolved a different version. Refusing to publish."
               ls "$dir"
               exit 1

.github/workflows/release.yml

@@ -38,6 +38,10 @@ concurrency:
   group: release-${{ github.ref }}
   cancel-in-progress: false
 
+# Least-privilege default; the job re-grants the write scope it needs.
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest

.github/workflows/workflows-lint.yml

@@ -0,0 +1,64 @@
+name: Lint workflows
+
+# Catches workflow YAML / shell-in-`run:` regressions at PR time so a
+# typo can't reach a release tag and surface only when a publish run
+# fails. Scoped to changes under `.github/workflows/**` to keep CI
+# overhead off unrelated PRs.
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # Pulls the matching actionlint binary release from GitHub Releases
+      # via the upstream download script. The script is fetched by commit
+      # SHA (not a mutable tag) and sha256-verified before it runs — this
+      # closes Scorecard's "downloadThenRun not pinned by hash" gap. The
+      # script then checksum-verifies the actionlint binary it pulls from
+      # the matching release.
+      #
+      # To bump: change ACTIONLINT_VERSION, set ACTIONLINT_SCRIPT_SHA to the
+      # commit the new tag points at (`gh api repos/rhysd/actionlint/commits/vX.Y.Z -q .sha`),
+      # and update ACTIONLINT_SCRIPT_SHA256 to that file's sha256.
+      #
+      # Install dir is passed explicitly as the script's second positional
+      # arg so the workflow doesn't couple to the script's internal default
+      # of $PWD (which happens to be $GITHUB_WORKSPACE after checkout —
+      # a coincidence, not a contract).
+      - name: Install actionlint
+        env:
+          ACTIONLINT_VERSION: "1.7.7"
+          ACTIONLINT_SCRIPT_SHA: "03d0035246f3e81f36aed592ffb4bebf33a03106"
+          ACTIONLINT_SCRIPT_SHA256: "221d1d16c03e4e4fcd867de34104e8d479bdce20ccdfa553b9a5c0dc29bf6af2"
+          ACTIONLINT_INSTALL_DIR: ${{ runner.temp }}/actionlint
+        run: |
+          mkdir -p "${ACTIONLINT_INSTALL_DIR}"
+          script="${ACTIONLINT_INSTALL_DIR}/download-actionlint.bash"
+          curl -fsSL -o "${script}" \
+            "https://raw.githubusercontent.com/rhysd/actionlint/${ACTIONLINT_SCRIPT_SHA}/scripts/download-actionlint.bash"
+          echo "${ACTIONLINT_SCRIPT_SHA256}  ${script}" | sha256sum -c -
+          bash "${script}" "${ACTIONLINT_VERSION}" "${ACTIONLINT_INSTALL_DIR}"
+          echo "${ACTIONLINT_INSTALL_DIR}" >> "${GITHUB_PATH}"
+          "${ACTIONLINT_INSTALL_DIR}/actionlint" -version
+
+      # `-shellcheck=shellcheck` makes the shellcheck dependency explicit
+      # rather than relying on actionlint's implicit lookup against the
+      # runner image's $PATH; if the Ubuntu image ever drops shellcheck the
+      # job fails loudly instead of silently degrading.
+      - name: Run actionlint
+        run: actionlint -color -shellcheck=shellcheck