chore(CODEOWNERS): drop /.github/workflows/ line (Refs standards#55)

[hyperpolymath]

Per hyperpolymath/standards#55 decision (a) for solo-owned repos: removes the /.github/workflows/ CODEOWNERS line so Dependabot github-actions PRs stop auto-requesting review. No functional review gating is lost on a solo-owned repo.

Refs hyperpolymath/standards#55

🤖 Generated with Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 13 issues detected

Severity	Count
🔴 Critical	5
🟠 High	2
🟡 Medium	6

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action actions/upload-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action actions/download-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Admitted leaves proof hole (1 occurrences, CWE-704)",
    "type": "admitted",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/verification/proofs/coq/TypeSafety.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/src/affine-plugin-improved.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (1 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in affinescript-vite: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in affinescript-vite",
    "type": "DependencyPinning",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
    "scorecard_check": "Pinned-Dependencies"
  },
  {
    "reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "6a2ml file outside canonical location -- must be in .machine_readable/6a2/",
    "type": "SD004",
    "file": ".machine_readable/STATE.a2ml",
    "action": "move",
    "rule_module": "structural_drift",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence