chore(TestingKit): workflow hygiene — ubuntu-24.04, permissions

.github/workflows/cargo-deny.yml

@@ -9,7 +9,7 @@ permissions:
   contents: read
 jobs:
   cargo-deny:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - uses: EmbarkStudios/cargo-deny-action@v2

.github/workflows/ci.yml

@@ -1,4 +1,7 @@
 # Generated CI workflow - calls reusable phenotype workflow
+permissions:
+  contents: read
+  pull-requests: read
 name: CI
 
 on:

.github/workflows/codeql.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze Rust
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       actions: read
       contents: read

.github/workflows/coverage.yml

@@ -1,4 +1,7 @@
 # Generated coverage workflow - calls reusable phenotype workflow
+permissions:
+  contents: read
+  pull-requests: read
 name: Coverage
 
 on:

.github/workflows/dependency-review.yml

@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/fr-coverage.yml

@@ -1,8 +1,11 @@
 name: fr-coverage
+permissions:
+  contents: read
+  pull-requests: read
 on: [pull_request]
 jobs:
   fr:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     continue-on-error: true
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

.github/workflows/journey-gate.yml

@@ -1,4 +1,7 @@
 # =============================================================================
+permissions:
+  contents: read
+  pull-requests: read
 # Journey Gate — Reusable Workflow
 # =============================================================================
 # Canonical source: phenotype-infra/docs/governance/ci-journey-gate.yml
@@ -50,7 +53,7 @@
 jobs:
   journey-gate:
     name: Journey Verification
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
 
     steps:
@@ -233,7 +236,7 @@
   # --------------------------------------------------------------------------
   stub-mode:
     name: Journey Gate — No Manifests Found
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: journey-gate
     if: needs.journey-gate.result == 'failure' && needs.journey-gate.outputs.MANIFEST_COUNT == '0'
     steps:

.github/workflows/quality-gate.yml

@@ -1,8 +1,11 @@
 name: quality-gate
+permissions:
+  contents: read
+  pull-requests: read
 on: [push, pull_request]
 jobs:
   gate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     continue-on-error: true
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

.github/workflows/scorecard.yml

@@ -11,7 +11,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
       id-token: write

.github/workflows/trufflehog.yml

@@ -1,12 +1,15 @@
 name: Trufflehog Secrets Scan
+permissions:
+  contents: read
+  pull-requests: read
 on:
   push:
     branches: [main]
   pull_request:
 
 jobs:
   trufflehog:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:

.pre-commit-config.yaml

@@ -0,0 +1,15 @@
+# Pre-commit hooks for TestingKit
+# Install: pre-commit install
+# Run manually: pre-commit run --all-files
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: detect-private-key