KooshaPari · KooshaPari · Jun 2, 2026 · May 28, 2026
@@ -1,4 +1,7 @@
 name: Auto Merge
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   pull_request:
@@ -7,7 +10,7 @@ on:
 
 jobs:
   auto-merge:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.actor == 'dependabot[bot]' || github.actor == 'pre-commit-ci[bot]'
     steps:
       - name: Checkout

@@ -1,4 +1,7 @@
 name: Benchmarks
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   push:
@@ -15,7 +18,7 @@ concurrency:
 jobs:
   benchmark:
     name: Run Benchmarks
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 

@@ -1,4 +1,7 @@
 name: cargo-audit
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   push:
@@ -12,7 +15,7 @@ on:
 
 jobs:
   audit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
       - uses: rustsec/audit-check@v2

@@ -1,4 +1,7 @@
 name: cargo-deny
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   workflow_dispatch:
@@ -17,7 +20,7 @@ on:
 
 jobs:
   cargo-deny:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c

@@ -1,12 +1,15 @@
 name: cargo-machete
+permissions:
+  contents: read
+  pull-requests: read
 on:
   push: { branches: [main], paths: ['Cargo.toml', '**/Cargo.toml'] }
   pull_request: { paths: ['Cargo.toml', '**/Cargo.toml'] }
   schedule: [{ cron: '47 6 * * 4' }]
   workflow_dispatch:
 jobs:
   machete:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
       - uses: bnjbvr/cargo-machete@main
@@ -1,10 +1,13 @@
 name: cargo-semver-checks
+permissions:
+  contents: read
+  pull-requests: read
 on:
   pull_request: { paths: ['**/Cargo.toml'] }
   workflow_dispatch:
 jobs:
   semver-checks:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
       - uses: obi1kenobi/cargo-semver-checks-action@v2
@@ -1,4 +1,7 @@
 name: CI
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   push:
@@ -8,7 +11,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     strategy:
       matrix:
@@ -34,5 +37,5 @@ jobs:
 
 
   phenotype-validate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@main
@@ -12,7 +12,7 @@ on:
 jobs:
   analyze:
     name: Analyze (rust)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 360
     permissions:
       actions: read

@@ -16,7 +16,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze Rust
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       actions: read
       contents: read

@@ -1,8 +1,11 @@
 name: Coverage
+permissions:
+  contents: read
+  pull-requests: read
 on: [push, pull_request]
 jobs:
   coverage:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
       - name: Run coverage

@@ -1,4 +1,7 @@
 # =============================================================================
+permissions:
+  contents: read
+  pull-requests: read
 # Journey Gate — Reusable Workflow
 # =============================================================================
 # Canonical source: phenotype-infra/docs/governance/ci-journey-gate.yml
@@ -50,7 +53,7 @@
 jobs:
   journey-gate:
     name: Journey Verification
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
 
     steps:
@@ -233,7 +236,7 @@
   # --------------------------------------------------------------------------
   stub-mode:
     name: Journey Gate — No Manifests Found
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: journey-gate
     if: needs.journey-gate.result == 'failure' && needs.journey-gate.outputs.MANIFEST_COUNT == '0'
     steps:

@@ -8,7 +8,7 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       pages: write

@@ -1,4 +1,7 @@
 name: Pre-commit Hooks
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   push:
@@ -8,7 +11,7 @@ on:
 
 jobs:
   pre-commit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 

@@ -1,4 +1,7 @@
 name: Quality Gate
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   pull_request:
@@ -10,7 +13,7 @@ env:
 
 jobs:
   check-changes:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     outputs:
       has_tests: ${{ steps.check.outputs.has_tests }}
       has_e2e: ${{ steps.check.outputs.has_e2e }}
@@ -30,7 +33,7 @@ jobs:
 
   unit-tests:
     name: Unit Tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 
@@ -67,7 +70,7 @@ jobs:
     name: E2E Tests
     needs: check-changes
     if: needs.check-changes.outputs.has_e2e == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 
@@ -84,7 +87,7 @@ jobs:
     name: Integration Tests
     needs: check-changes
     if: needs.check-changes.outputs.has_integration == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 
@@ -99,7 +102,7 @@ jobs:
 
   fr-annotation-check:
     name: FR Annotation Check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
         with:
@@ -137,7 +140,7 @@ jobs:
     name: Quality Report
     needs: [unit-tests, e2e-tests, integration-tests, fr-annotation-check]
     if: always()
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 

@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: contains(github.event.head_commit.message, 'release:') || contains(github.event.head_commit.message, 'chore(release)')
     outputs:
       version: $123steps.version.outputs.version125
@@ -45,7 +45,7 @@ jobs:
 
   promote:
     needs: release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 

@@ -1,12 +1,15 @@
 name: Security (SAST)
+permissions:
+  contents: read
+  pull-requests: read
 on:
   push:
     branches: [main, develop]
   pull_request:
   schedule: [{cron: "0 2 * * *"}]
 jobs:
   codeql:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
       - uses: github/codeql-action/init-action@v3

@@ -11,7 +11,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
       id-token: write

@@ -1,4 +1,7 @@
 name: Security Guard
+permissions:
+  contents: read
+  pull-requests: read
 
 on:
   pull_request:
@@ -8,7 +11,7 @@ on:
 
 jobs:
   security-guard:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
         with:

@@ -21,7 +21,7 @@ jobs:
   # Secret Scanning
   secrets:
     name: Secret Detection
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
@@ -37,7 +37,7 @@ jobs:
   # SAST Scanning
   sast:
     name: SAST Analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
     steps:
@@ -61,7 +61,7 @@ jobs:
   # Dependency Vulnerability Scanning
   dependencies:
     name: Dependency Audit
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
@@ -80,7 +80,7 @@ jobs:
   # Container Scanning (if Dockerfile exists)
   container:
     name: Container Scan
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: ${{ hashFiles('Dockerfile') != '' }}
     steps:
       - name: Checkout

@@ -1,12 +1,15 @@
 name: Trufflehog Secrets Scan
+permissions:
+  contents: read
+  pull-requests: read
 on:
   push:
     branches: [main]
   pull_request:
 
 jobs:
   trufflehog:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: