Skip to content

fix(ci): hypatia self-clean — replace 3 fake action SHA pins#401

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/hypatia-self-clean-fake-shas
May 30, 2026
Merged

fix(ci): hypatia self-clean — replace 3 fake action SHA pins#401
hyperpolymath merged 1 commit into
mainfrom
claude/hypatia-self-clean-fake-shas

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 30, 2026

Summary

Hypatia carried 3 fake SHA pins in its own workflows. Self-clean so hypatia passes its own :known_fake_action_sha rule (#397) when scanning itself.

Substitutions (version-faithful where possible)

Action Sites Fake SHA Real replacement Version
Swatinem/rust-cache 7 (ci.yml ×4, tests.yml ×3, release.yml ×1) ad397744...b8db 9d47c6ad4b02e050fd481d890b2ea34778fd09d6 v2.7.8 (intent preserved)
haskell-actions/hlint-run 1 (ci.yml) 75c62c3b...6ce2 0b0024319753ba0c8b2fa21b7018ed252aed8181 v2.4.9 (intent preserved)
haskell-actions/hlint-setup 1 (ci.yml) 17f0f409...ddfa fe9cd1cd1af94a23900c06738e73f6ddb092966a v2.4.10 (bumped — original # v2.7.0 was doubly fictional)

Note on hlint-setup

The original haskell-actions/hlint-setup@17f0f4093d35cfdbf02aab186d51d0bb8b92ddfa # v2.7.0 was fake at TWO levels: the SHA doesn't exist, AND the version v2.7.0 was never released. hlint-setup's tag history only goes up to v2.4.10. Bumped to v2.4.10 (current latest) rather than try to preserve a version that never existed.

Verification

All three real SHAs return 200 from gh api repos/<org>/<action>/commits/<sha>. Verified pre-commit.

Why one PR for both action families

The round-2 estate sweep in flight (~46 repos, version-faithful substitution map) handles rust-cache@ad397744... but NOT hlint-run/hlint-setup — those aren't in the substitution map. Filing both fixes in one PR for hypatia means:

  1. Hypatia is fully self-clean immediately (passes its own rule)
  2. When the in-flight sweep reaches hypatia, it'll see corrected_not_emitted (no-op) — clean handoff
  3. No leftover hlint fixes deferred to a separate PR

Provenance

Estate audit 2026-05-30 found 67 fake action SHA pairs; the in-flight round-2 sweep handles 26 substitutions across 46 repos; ~25 niche single-repo fakes including hlint were documented as deferred. This PR moves the 2 hlint fakes from "deferred" to "done" since they're in hypatia's own repo and there's symbolic value to hypatia being self-clean.

See project_estate_fake_action_sha_punch_list_2026_05_30.md for the full substitution map context.

Test plan

  • gh api returns 200 for all 3 new SHAs (verified)
  • No remaining fake-SHA occurrences in hypatia's workflows (verified via grep)
  • CI passes (rust-cache + hlint behaviour is identical, just real SHAs)

@hyperpolymath
fix(ci): hypatia self-clean — replace 3 fake action SHA pins
635c244 
Hypatia's own workflows carried three fake SHAs caught by the 2026-05-30
estate audit. Self-clean so hypatia passes its own `:known_fake_action_sha`
rule (#397) when scanning itself.

## Substitutions

  Swatinem/rust-cache         (7 sites across ci/release/tests)
    ad397744b0d591a723ab90405b7247fac0e6b8db (fake; partial-prefix corruption)
    → 9d47c6ad4b02e050fd481d890b2ea34778fd09d6 (real v2.7.8)
    Version intent preserved (# v2.7.8 → still v2.7.8).

  haskell-actions/hlint-run   (1 site in ci.yml)
    75c62c3bed4ab3e4c85c64ed8f287478c5f86ce2 (fake)
    → 0b0024319753ba0c8b2fa21b7018ed252aed8181 (real v2.4.9)
    Version intent preserved (# v2.4.9 → still v2.4.9).

  haskell-actions/hlint-setup (1 site in ci.yml)
    17f0f4093d35cfdbf02aab186d51d0bb8b92ddfa # v2.7.0 (DOUBLY FICTIONAL)
    → fe9cd1cd1af94a23900c06738e73f6ddb092966a # v2.4.10 (real, current latest)

    Note: the original `# v2.7.0` was itself fictional — hlint-setup's
    tag history only goes to v2.4.10 (verified via
    `gh api repos/haskell-actions/hlint-setup/tags`). Bumped to the
    actual current latest rather than try to preserve a version that
    never existed.

## Verification

`gh api repos/<org>/<action>/commits/<sha>` returns 200 for all three
real SHAs (verified pre-commit). Hypatia's own audit rule + verify task
will see these as `real` going forward.

## Provenance

Estate audit 2026-05-30 found these among 67 fake action SHA pairs. The
round-2 sweep in flight handles rust-cache for ~46 estate repos including
hypatia, but it doesn't carry the hlint-* substitutions in its map — so
this PR catches both for hypatia in one shot rather than waiting for the
sweep to fix only the rust-cache subset later.

See `project_estate_fake_action_sha_punch_list_2026_05_30` for the full
substitution map context.
@hyperpolymath hyperpolymath merged commit f60ca3c into main May 30, 2026
23 of 31 checks passed
@hyperpolymath hyperpolymath deleted the claude/hypatia-self-clean-fake-shas branch May 30, 2026 17:22
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

🔍 Hypatia Security Scan

Findings: 103 issues detected

Severity Count
🔴 Critical 0
🟠 High 0
🟡 Medium 103
View findings 
[
  {
    "reason": "Action urin 21 JRE\n        uses: actions/setup-java@be666c2fcd27 needs attention",
    "type": "unpinned_action",
    "file": "verify-proofs.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in clusterfuzzlite.yml",
    "type": "missing_timeout_minutes",
    "file": "clusterfuzzlite.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath