From 4ea7c1255ec39911f318c3fe5848350193298e6a Mon Sep 17 00:00:00 2001
From: Lakshman Patel <Lakshmanp230@gmail.com>
Date: Fri, 26 Jun 2026 06:24:40 +0530
Subject: [PATCH 1/2] ci: add CODEOWNERS, dependabot.yml, and SHA-pinned
 actions

---
 .github/CODEOWNERS       | 26 ++++++++++++++++++++++++++
 .github/dependabot.yml   | 16 ++++++++++++++++
 .github/workflows/ci.yml | 36 ++++++++++++++++++------------------
 3 files changed, 60 insertions(+), 18 deletions(-)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/dependabot.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..69c66eb
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,26 @@
+# CODEOWNERS for trace (session recording & provenance engine)
+* @GrayCodeAI/maintainers
+
+# Engine core
+/cli/            @GrayCodeAI/core-team
+/cmd/            @GrayCodeAI/core-team
+/redact/         @GrayCodeAI/core-team @GrayCodeAI/security-team
+/rules/          @GrayCodeAI/core-team
+
+# API surface
+/api/            @GrayCodeAI/core-team
+/mcp/            @GrayCodeAI/core-team
+
+# Performance
+/perf/           @GrayCodeAI/core-team
+
+# CI / release / build tooling
+/.github/        @GrayCodeAI/devops-team
+/Makefile        @GrayCodeAI/devops-team
+/lefthook.yml    @GrayCodeAI/devops-team
+/scripts/        @GrayCodeAI/devops-team
+/deploy/         @GrayCodeAI/devops-team
+
+# Documentation
+*.md             @GrayCodeAI/docs-team
+/docs/           @GrayCodeAI/docs-team
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..1b614bb
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      go-deps:
+        patterns: ["*"]
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      actions:
+        patterns: ["*"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0304f4f..30a5790 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -43,8 +43,8 @@ jobs:
     name: fmt + vet
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.3
-      - uses: actions/setup-go@v6.4.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -69,14 +69,14 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.3
-      - uses: actions/setup-go@v6.4.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
       - name: Boundary guard
         run: bash ./scripts/check-ecosystem-boundaries.sh
-      - uses: golangci/golangci-lint-action@v9.2.1
+      - uses: golangci/golangci-lint-action@db582008a42febd596419635a5abc9d9815daa9c # v9.2.1
         with:
           version: v2.11.3
           install-mode: goinstall
@@ -90,8 +90,8 @@ jobs:
     name: test (race + cover)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.3
-      - uses: actions/setup-go@v6.4.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -106,7 +106,7 @@ jobs:
             exit 1
           fi
       - name: Test
-        run: go test ./... -race -count=1 -coverprofile=coverage.out -covermode=atomic -timeout=180s
+        run: go test ./... -race -count=1 -shuffle=on -coverprofile=coverage.out -covermode=atomic -timeout=180s
       - name: Coverage summary
         run: go tool cover -func=coverage.out | tail -1
       - name: Coverage threshold
@@ -119,7 +119,7 @@ jobs:
           fi
           echo "Coverage ${COVERAGE}% meets threshold ${THRESHOLD}%"
       - name: Upload coverage
-        uses: actions/upload-artifact@v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: coverage
           path: coverage.out
@@ -131,8 +131,8 @@ jobs:
     name: security
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.3
-      - uses: actions/setup-go@v6.4.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -154,8 +154,8 @@ jobs:
     name: deadcode
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.3
-      - uses: actions/setup-go@v6.4.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
@@ -170,7 +170,7 @@ jobs:
           deadcode -test -f '{{range .Funcs}}{{printf "%s\t%s\n" $.Path .Name}}{{end}}' ./... | tee deadcode.txt
           echo "deadcode reported $(wc -l < deadcode.txt | tr -d ' ') unreachable funcs (advisory)"
       - name: upload deadcode report
-        uses: actions/upload-artifact@v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: deadcode-report
@@ -184,8 +184,8 @@ jobs:
     name: duplication
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.3
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '20'
       - name: jscpd
@@ -210,8 +210,8 @@ jobs:
           - goos: windows
             goarch: arm64
     steps:
-      - uses: actions/checkout@v6.0.3
-      - uses: actions/setup-go@v6.4.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true

From 829d3d5e9a29a79bab7358d9f91a07fe382850ca Mon Sep 17 00:00:00 2001
From: Lakshman Patel <Lakshmanp230@gmail.com>
Date: Fri, 26 Jun 2026 06:35:14 +0530
Subject: [PATCH 2/2] chore: remove dependabot.yml

---
 .github/dependabot.yml | 16 ----------------
 1 file changed, 16 deletions(-)
 delete mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 1b614bb..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: gomod
-    directory: /
-    schedule:
-      interval: weekly
-    groups:
-      go-deps:
-        patterns: ["*"]
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-    groups:
-      actions:
-        patterns: ["*"]