ci: fix paths-filter shallow-clone race and scorecard allowlist

.github/workflows/ci.yml

@@ -44,9 +44,15 @@ jobs:
       # requires push access to the upstream.
       is_release_please: ${{ (github.event_name == 'pull_request' && startsWith(github.head_ref, 'release-please--') && github.event.pull_request.user.login == 'synthorg-repo-bot[bot]') || (github.event_name != 'pull_request' && startsWith(github.ref, 'refs/heads/release-please--')) }}
     steps:
+      # fetch-depth: 0 needed by paths-filter on push: events. With a shallow
+      # checkout it falls back to two back-to-back `git fetch --depth=1` calls
+      # (base SHA + main) that both rewrite `.git/shallow`; the second races
+      # the first and dies with `fatal: shallow file has changed since we
+      # read it`. Full history skips the remote fetches entirely.
       - uses: Aureliolo/synthorg/.github/actions/checkout@25921183f274c930bf473dc0339376bda0961eaf
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: "0"
           persist-credentials: false
       - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: filter
@@ -228,9 +234,17 @@ jobs:
     permissions:
       contents: read
     steps:
+      # fetch-depth: 0 needed by the "Enforce at most one new revision per
+      # PR" step below: `git diff base...HEAD` uses the three-dot merge-base
+      # form, which is undefined on a shallow clone (no shared ancestry).
+      # Without full history the rule either misses additions or fires
+      # false positives, depending on which commit happens to be the
+      # shallow root. The cost (one checkout) is small; this job already
+      # runs full schema-drift validation.
       - uses: Aureliolo/synthorg/.github/actions/checkout@25921183f274c930bf473dc0339376bda0961eaf
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: "0"
           persist-credentials: false
       - uses: ./.github/actions/setup-python-uv
 
@@ -239,7 +253,7 @@ jobs:
         env:
           GH_BASE_REF: ${{ github.base_ref }}
         run: |
-          git fetch origin "$GH_BASE_REF" --depth=1
+          git fetch origin "$GH_BASE_REF"
           base_ref="origin/$GH_BASE_REF"
           mapfile -t new_revs < <(
             git diff --name-only --diff-filter=A "$base_ref"...HEAD -- \

.github/workflows/cli.yml

@@ -32,9 +32,12 @@ jobs:
     outputs:
       changed: ${{ steps.filter.outputs.cli || startsWith(github.ref, 'refs/tags/v') }}
     steps:
+      # fetch-depth: 0. See ci.yml Detect Changes for full rationale:
+      # paths-filter on push: events races on shallow checkouts.
       - uses: Aureliolo/synthorg/.github/actions/checkout@25921183f274c930bf473dc0339376bda0961eaf
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: "0"
           persist-credentials: false
       - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: filter

.github/workflows/codspeed.yml

@@ -58,9 +58,12 @@ jobs:
       python: ${{ steps.filter.outputs.python }}
       web: ${{ steps.filter.outputs.web }}
     steps:
+      # fetch-depth: 0. See ci.yml Detect Changes for full rationale:
+      # paths-filter on push: events races on shallow checkouts.
       - uses: Aureliolo/synthorg/.github/actions/checkout@25921183f274c930bf473dc0339376bda0961eaf
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: "0"
           persist-credentials: false
       - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: filter

.github/workflows/docker.yml

@@ -65,9 +65,12 @@ jobs:
       fine-tune: ${{ steps.filter.outputs.fine-tune }}
       web: ${{ steps.filter.outputs.web }}
     steps:
+      # fetch-depth: 0. See ci.yml Detect Changes for full rationale:
+      # paths-filter on push: events races on shallow checkouts.
       - uses: Aureliolo/synthorg/.github/actions/checkout@25921183f274c930bf473dc0339376bda0961eaf
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: "0"
           persist-credentials: false
       - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: filter

.github/workflows/scorecard.yml

@@ -19,7 +19,11 @@ jobs:
       contents: read
       actions: read
     steps:
-      - uses: Aureliolo/synthorg/.github/actions/checkout@25921183f274c930bf473dc0339376bda0961eaf
+      # ossf/scorecard-action enforces a workflow-step allowlist on the job
+      # that contains it. The local retry-wrapped checkout composite is not
+      # allowlisted, so we must call actions/checkout directly here. SHA
+      # matches the one pinned inside .github/actions/checkout (v6).
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.sha }}
           persist-credentials: false