diff --git a/.github/linters/.codespellrc b/.github/linters/.codespellrc
index 229066881..47dd5ccea 100644
--- a/.github/linters/.codespellrc
+++ b/.github/linters/.codespellrc
@@ -1,11 +1,11 @@
 [codespell]
 # Skip data tables that contain many short server identifiers (e.g. "fof", "nd")
 skip =
-	lgsm/data/*.csv,
-	package-lock.json,
-	*/package-lock.json,
-	node_modules,
-	*/node_modules/*
+    lgsm/data/*.csv,
+    package-lock.json,
+    */package-lock.json,
+    node_modules,
+    */node_modules/*
 
 # Ignore common identifiers/acronyms and extensions used throughout LinuxGSM
 ignore-words-list = distroname,fof,nd,sav,parms,ThirdParty
diff --git a/.github/linters/.gitleaks.toml b/.github/linters/.gitleaks.toml
new file mode 100644
index 000000000..b61845ba6
--- /dev/null
+++ b/.github/linters/.gitleaks.toml
@@ -0,0 +1,9 @@
+title = "LinuxGSM Gitleaks Config"
+
+[allowlist]
+  description = "Known false positives"
+  regexes = [
+    # Google Analytics 4 Measurement Protocol API secret - not a sensitive credential,
+    # it is intentionally embedded in client-side code and is safe to be public.
+    '''apisecret="[A-Za-z0-9_\-]+"''',
+  ]
diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml
index 094bbbcd6..62d421814 100644
--- a/.github/linters/.markdown-lint.yml
+++ b/.github/linters/.markdown-lint.yml
@@ -12,12 +12,9 @@ MD013: false
 # MD033: The main README uses inline HTML for badges.
 MD033: false
 
-# Match existing list formatting in this repo.
+# MD007: Repo uses 2-space indentation for nested lists.
 MD007:
-  indent: 4
+  indent: 2
 
-MD030:
-  ul_single: 3
-  ol_single: 2
-  ul_multi: 3
-  ol_multi: 2
+# MD030: Repo mixes 1-space unordered and 2-space ordered list markers.
+MD030: false
diff --git a/.github/workflows/action-super-linter.yml b/.github/workflows/action-super-linter.yml
index de396dcd4..e2755e20a 100644
--- a/.github/workflows/action-super-linter.yml
+++ b/.github/workflows/action-super-linter.yml
@@ -27,9 +27,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v6
         with:
-          # Shallow clone reduces transient fetch failures (HTTP 500) from GitHub.
-          # We lint the whole codebase instead of relying on git history.
-          fetch-depth: 1
+          # Full clone required so super-linter can resolve GITHUB_BEFORE_SHA.
+          fetch-depth: 0
           fetch-tags: false
           persist-credentials: false
 
@@ -42,6 +41,7 @@ jobs:
         env:
           # To report GitHub Actions status checks
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BRANCH: ${{ github.ref_name }}
           VALIDATE_BIOME_FORMAT: false
           VALIDATE_BIOME_LINT: false
           VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
diff --git a/lgsm/modules/update_etl.sh b/lgsm/modules/update_etl.sh
old mode 100644
new mode 100755