From 67c53076dcf233ec29f01629ab75b3504c11963e Mon Sep 17 00:00:00 2001
From: Barklees Sanders <30680901+barkleesanders@users.noreply.github.com>
Date: Wed, 1 Apr 2026 01:05:45 -0700
Subject: [PATCH] fix(security): close three supply chain gaps

- SHA-pin all pre-commit hook revs (gitleaks, shellcheck-py,
  pre-commit-hooks, mirrors-typos, zizmor) to full commit SHAs
  with tag comments for auditability
- Add OpenSSF Scorecard badge to README alongside existing CI badges
- Pin `cross` install in release workflow to v0.2.5 commit SHA
  instead of unpinned HEAD

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/create_release_assets.yml |  2 +-
 .pre-commit-config.yaml                     | 10 +++++-----
 README.md                                   |  1 +
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/create_release_assets.yml b/.github/workflows/create_release_assets.yml
index e19fa29c7..276a4cdc3 100644
--- a/.github/workflows/create_release_assets.yml
+++ b/.github/workflows/create_release_assets.yml
@@ -197,7 +197,7 @@ jobs:
 
       - name: install cross
         # Install from source to fix `ld: cannot find -lgeom` for freebsd build
-        run: cargo +stable install --git https://github.com/cross-rs/cross cross
+        run: cargo +stable install --git https://github.com/cross-rs/cross --rev 88f49ff79e777bef6d3564531636ee4d3cc2f8d2 cross # v0.2.5
 
       - name: Run clippy
         run: cross clippy --all-targets --locked --target "${matrix_target}" -- -D warnings
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6d06c3566..320d9a851 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,23 +1,23 @@
 repos:
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.30.0
+  rev: 6eaad039603a4de39fddd1cf5f727391efe9974e # v8.30.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/shellcheck-py/shellcheck-py
-  rev: v0.11.0.1
+  rev: 745eface02aef23e168a8afb6b5737818efbea95 # v0.11.0.1
   hooks:
   - id: shellcheck
     args: [--external-sources]
 
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v6.0.0
+  rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
   hooks:
   - id: end-of-file-fixer
   - id: trailing-whitespace
 
 - repo: https://github.com/adhtruong/mirrors-typos
-  rev: v1.44.0
+  rev: cf074ce7ed10a99b0147ee84edc05a6b5732a122 # v1.44.0
   hooks:
   - id: typos
     args:
@@ -29,7 +29,7 @@ repos:
 
 
 - repo: https://github.com/zizmorcore/zizmor-pre-commit
-  rev: v1.16.3
+  rev: 86ee5ea442ee969842e00913c6b76c060a7aa8ef # v1.16.3
   hooks:
   - id: zizmor
     args: ['--persona=auditor', '--no-progress']
diff --git a/README.md b/README.md
index a9cad42c2..020d7040b 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@
 <a href="https://crates.io/crates/topgrade"><img alt="crates.io" src="https://img.shields.io/crates/v/topgrade.svg"></a>
 <a href="https://aur.archlinux.org/packages/topgrade"><img alt="AUR" src="https://img.shields.io/aur/version/topgrade.svg"></a>
 <a href="https://formulae.brew.sh/formula/topgrade"><img alt="Homebrew" src="https://img.shields.io/homebrew/v/topgrade.svg"></a>
+<a href="https://securityscorecards.dev/viewer/?uri=github.com/barkleesanders/topgrade"><img alt="OpenSSF Scorecard" src="https://api.securityscorecards.dev/projects/github.com/barkleesanders/topgrade/badge"></a>
 
   <img alt="Feature Showcase" src="https://github.com/barkleesanders/topgrade/blob/main/doc/topgrade-showcase.gif?raw=true" width="900px">
 </div>