hyperpolymath · hyperpolymath · Mar 3, 2026 · Mar 3, 2026
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MPL-2.0-or-later
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# All files in the repository
+* @hyperpolymath
@@ -7,16 +7,20 @@ on:
   pull_request:
     branches: [ main, develop ]
 
+permissions: read-all
+
 jobs:
   # RSR Compliance Check
   rsr-compliance:
     name: RSR Compliance Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0
         with:
           node-version: '20'
 
@@ -27,11 +31,13 @@ jobs:
   lint:
     name: Lint & Format Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0
         with:
           node-version: '20'
           cache: 'npm'
@@ -51,11 +57,13 @@ jobs:
   typecheck:
     name: TypeScript Type Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0
         with:
           node-version: '20'
           cache: 'npm'
@@ -71,11 +79,13 @@ jobs:
   build:
     name: Build All Packages
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0
         with:
           node-version: '20'
           cache: 'npm'
@@ -88,7 +98,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4.6.0
         with:
           name: build-artifacts
           path: |
@@ -101,11 +111,13 @@ jobs:
   test:
     name: Test Suite
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0
         with:
           node-version: '20'
           cache: 'npm'
@@ -118,7 +130,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
         with:
           files: coverage/lcov.info
         continue-on-error: true
@@ -127,11 +139,13 @@ jobs:
   security:
     name: Security Audit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0
         with:
           node-version: '20'
 
@@ -140,7 +154,7 @@ jobs:
         continue-on-error: true
 
       - name: Check for secrets
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}
@@ -151,11 +165,13 @@ jobs:
   docker:
     name: Docker Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6df267d1d40129fc4270f28032d0 # v3.10.0
 
       - name: Build Docker images
         run: docker-compose build
@@ -165,11 +181,13 @@ jobs:
   a11y:
     name: Accessibility Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0
         with:
           node-version: '20'
           cache: 'npm'
@@ -181,6 +199,7 @@ jobs:
         run: npm run test:a11y --workspaces --if-present
         continue-on-error: true
 
+
   # Summary
   ci-summary:
     name: CI Summary

@@ -28,16 +28,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
       - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@v1
+        uses: actions/jekyll-build-pages@483d13b77a3ddc98f58a1b3910aacc19a7f337c3 # v1.0.13
         with:
           source: ./
           destination: ./_site
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dee4629d657e # v3.0.1
 
   # Deployment job
   deploy:
@@ -49,4 +49,5 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6dbca28e605e47460e141952724c5747a3e723e # v4.0.5
+
@@ -1,11 +1,17 @@
 # SPDX-License-Identifier: MPL-2.0-or-later
 name: PHP Security Check
 on: [push, pull_request]
+
+permissions: read-all
+
 jobs:
   security:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
+
       - name: PHP Security Scan
         run: |
           # Check for dangerous functions

@@ -2,14 +2,19 @@
 name: ReScript/Deno CI
 on: [push, pull_request]
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: denoland/setup-deno@v1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
+      - uses: denoland/setup-deno@9db7efd2d8d10d73081f64624f472263a3d12f20 # v1.1.4
         with:
           deno-version: v1.x
+
 
       - name: Deno lint
         run: deno lint
@@ -32,9 +37,12 @@ jobs:
 
   security:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: denoland/setup-deno@v1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
+      - uses: denoland/setup-deno@9db7efd2d8d10d73081f64624f472263a3d12f20 # v1.1.4
+
       - name: Check permissions
         run: |
           # Audit for dangerous permissions

@@ -0,0 +1,29 @@
+# OpenSSF Best Practices (CII) Adherence
+
+This document tracks the project's adherence to the [OpenSSF Best Practices Badge](https://best-practices.coreinfrastructure.org/) criteria.
+
+## Summary
+The Accessibility Everywhere project is committed to following open-source security and quality best practices.
+
+## Change Control
+- **Public Repository**: All source code is hosted on GitHub and is public.
+- **Version Control**: We use Git for version control.
+- **Unique Versioning**: All releases use unique version identifiers (SemVer).
+
+## Reporting
+- **Bug Reporting Process**: Documented in `CONTRIBUTING.md`.
+- **Vulnerability Reporting**: A clear `SECURITY.md` file defines the private reporting process.
+
+## Quality
+- **Automated Builds**: We use GitHub Actions for automated builds and CI.
+- **Testing**: Automated test suites are integrated into the CI pipeline.
+- **New Features**: New functionality is required to have associated tests.
+
+## Security
+- **Secure Development**: We use automated security scanners (CodeQL, Trufflehog, Hypatia).
+- **Dependency Pinning**: All GitHub Actions and critical dependencies are pinned to specific versions/SHAs.
+- **No Hardcoded Secrets**: Scanned via `trufflehog` and `gitleaks`.
+
+## Best Practices
+- **SPDX Headers**: We use SPDX license identifiers in all source files.
+- **Code Review**: All changes require a pull request and code review before merging to `main`.
@@ -0,0 +1,9 @@
+# Security Acknowledgments
+
+We would like to thank the following researchers for their contributions to keeping Accessibility Everywhere safe.
+
+## 2026
+- Currently no entries.
+
+## 2025
+- Currently no entries.
@@ -0,0 +1,20 @@
+# Fuzzing for Accessibility Everywhere
+
+This directory contains fuzzing configurations and targets for automated testing of accessibility scanners and parsers.
+
+## Strategy
+
+We use automated fuzzing to ensure that our parsers (DOM, CSS, and ARIA) handle unexpected or malicious input gracefully without crashing.
+
+## Targets
+
+- `fuzz_target_dom.js`: Fuzzes the DOM traversal and ARIA attribute parsing.
+- `fuzz_target_css.js`: Fuzzes the CSS accessibility property extractor.
+
+## Running Fuzzers
+
+Fuzzing is integrated into the CI/CD pipeline via specialized jobs. To run locally:
+
+```bash
+deno test --allow-all tests/fuzz/
+```