hypatia: detect workflow triggers referencing non-existent branches (from #333 cohort, pattern 4)

[hyperpolymath]

Detector spec (from hypatia#333 Pattern 4)

Pattern 4 — Workflow triggers reference branches that don't exist in the repo

Severity: low (dead config, but signals maintenance drift)

Detection (Hypatia.Rules.StructuralDrift):

• For each workflow file, collect on.push.branches, on.pull_request.branches, on.push.branches-ignore, etc.
• Resolve them against the repo's actual branch list (via the git index or GitHub API).
• Flag any branch name that:
  • Doesn't exist as a ref, AND
  • Isn't a glob pattern, AND
  • Isn't the default branch name (some teams keep master/main for migration symmetry — exempt those).

Worked examples (this session):

• affinescript/.github/workflows/{semgrep,spark-theatre-gate}.yml — branches: [main, master] while the repo uses main exclusively. Fix: affinescript#379 dropped master.
• hypatia/.github/workflows/{tests,verify-proofs}.yml — develop and master were dead. Fix: hypatia#331 dropped them.

Remediation guidance to emit:

Drop branch refs in workflow triggers that don't resolve to actual branches in this repo. Confirms intent and avoids ambiguity.

Implementation pointers

• Detection algorithm: Collect on.push.branches, on.pull_request.branches, on.push.branches-ignore per workflow; resolve against actual repo branches; flag names that aren't refs, aren't globs, and aren't the default branch.
• Real-world example: affinescript/.github/workflows/{semgrep,spark-theatre-gate}.yml listed master while repo uses main only; hypatia/.github/workflows/{tests,verify-proofs}.yml listed dead develop and master.
• Landed fix (reference): affinescript#379 (dropped master in affinescript); hypatia#331 (dropped develop/master in hypatia).
• Rule statement: Drop branch refs in workflow triggers that don't resolve to actual branches in this repo. Confirms intent and avoids ambiguity.

Acceptance

• Rule encoded in hypatia (file path follows existing rule naming convention — lib/rules/<name>.ex if Elixir, or matching the repo's rule DSL)
• Test fixture exercising the positive case + at least one negative case
• Smoke test passes against the cited landed-fix repo

Source cohort: hypatia#333.

[hyperpolymath]

cicd triage 2026-05-30 — scoped plan + park

PR #403 ships the first batch of 4 rules from this cohort (#336, #337, #338, #390). This issue is in the next batch; landing it requires more substantial work than the first four:

Detection needs gh API call to list branches OR git index read for actual refs. Compare against on.push.branches + on.pull_request.branches per workflow. Add to lib/rules/structural_drift.ex as SD015.

The issue body is the implementation spec (detection algorithm + worked example + remediation guidance — well-formed). Next-batch PR will pick this up. Leaving open with cicd label.

[hyperpolymath]

Detector landed in PR #411 (merged, d460d6c): Hypatia.Rules.StructuralDrift.check_workflow_branch_refs/3 (SD021) — flags on.push/on.pull_request.branches refs (inline [a, b] and block - a forms) that aren't in the repo's live branch list; glob patterns and the default branch are exempt.

• Rule encoded (SD021)
• Test fixtures (positive + negative) — test/rules/group_b_detectors_test.exs
• Smoke test against cited landed-fix repo (needs the live branch list)

Remaining (keeping this open): the detector takes actual_branches as a parameter today; wiring the live branch-list signal (git index / GitHub API) into the scan flow + the smoke test against the affinescript/hypatia fixes are the follow-up.

---

Generated by Claude Code

[hyperpolymath]

Forward-pointer (2026-05-31): hypatia#409 (proposed WF021-WF025) was closed as partially superseded — main's recent WF021-WF023 work consumed the WF021/WF024 slots. The 3 detector ideas in this cohort (#361/#363/#366) remain owed and should be implemented by a successor PR using WF024+ numbering (main's highest is WF023).