From 635c244b1996817cd6121e2edc13147da400ba8d Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 18:21:36 +0100
Subject: [PATCH] =?UTF-8?q?fix(ci):=20hypatia=20self-clean=20=E2=80=94=20r?=
 =?UTF-8?q?eplace=203=20fake=20action=20SHA=20pins?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hypatia's own workflows carried three fake SHAs caught by the 2026-05-30
estate audit. Self-clean so hypatia passes its own `:known_fake_action_sha`
rule (#397) when scanning itself.

## Substitutions

  Swatinem/rust-cache         (7 sites across ci/release/tests)
    ad397744b0d591a723ab90405b7247fac0e6b8db (fake; partial-prefix corruption)
    → 9d47c6ad4b02e050fd481d890b2ea34778fd09d6 (real v2.7.8)
    Version intent preserved (# v2.7.8 → still v2.7.8).

  haskell-actions/hlint-run   (1 site in ci.yml)
    75c62c3bed4ab3e4c85c64ed8f287478c5f86ce2 (fake)
    → 0b0024319753ba0c8b2fa21b7018ed252aed8181 (real v2.4.9)
    Version intent preserved (# v2.4.9 → still v2.4.9).

  haskell-actions/hlint-setup (1 site in ci.yml)
    17f0f4093d35cfdbf02aab186d51d0bb8b92ddfa # v2.7.0 (DOUBLY FICTIONAL)
    → fe9cd1cd1af94a23900c06738e73f6ddb092966a # v2.4.10 (real, current latest)

    Note: the original `# v2.7.0` was itself fictional — hlint-setup's
    tag history only goes to v2.4.10 (verified via
    `gh api repos/haskell-actions/hlint-setup/tags`). Bumped to the
    actual current latest rather than try to preserve a version that
    never existed.

## Verification

`gh api repos/<org>/<action>/commits/<sha>` returns 200 for all three
real SHAs (verified pre-commit). Hypatia's own audit rule + verify task
will see these as `real` going forward.

## Provenance

Estate audit 2026-05-30 found these among 67 fake action SHA pairs. The
round-2 sweep in flight handles rust-cache for ~46 estate repos including
hypatia, but it doesn't carry the hlint-* substitutions in its map — so
this PR catches both for hypatia in one shot rather than waiting for the
sweep to fix only the rust-cache subset later.

See `project_estate_fake_action_sha_punch_list_2026_05_30` for the full
substitution map context.
---
 .github/workflows/ci.yml      | 10 +++++-----
 .github/workflows/release.yml |  2 +-
 .github/workflows/tests.yml   |  6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a237ba3..4b75684 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -40,7 +40,7 @@ jobs:
           components: clippy, rustfmt
 
       - name: Setup Rust cache
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2.7.8
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           workspaces: ". -> target"
           cache-on-failure: true
@@ -81,7 +81,7 @@ jobs:
           toolchain: stable
 
       - name: Setup Rust cache
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2.7.8
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           workspaces: ". -> target"
           cache-on-failure: true
@@ -112,7 +112,7 @@ jobs:
           tool: cargo-llvm-cov
 
       - name: Setup Rust cache
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2.7.8
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           workspaces: ". -> target"
           cache-on-failure: true
@@ -196,12 +196,12 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup HLint
-        uses: haskell-actions/hlint-setup@17f0f4093d35cfdbf02aab186d51d0bb8b92ddfa # v2.7.0
+        uses: haskell-actions/hlint-setup@fe9cd1cd1af94a23900c06738e73f6ddb092966a # v2.4.10
         with:
           version: '3.8'
 
       - name: Run HLint
-        uses: haskell-actions/hlint-run@75c62c3bed4ab3e4c85c64ed8f287478c5f86ce2 # v2.4.9
+        uses: haskell-actions/hlint-run@0b0024319753ba0c8b2fa21b7018ed252aed8181 # v2.4.9
         with:
           path: registry/
           fail-on: warning
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1ac29c9..0f221d4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -93,7 +93,7 @@ jobs:
           targets: ${{ matrix.target }}
 
       - name: Setup Rust cache
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2.7.8
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           workspaces: ". -> target"
           key: ${{ matrix.target }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 12adb42..075b1b8 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -224,7 +224,7 @@ jobs:
           toolchain: stable
 
       - name: Setup Rust cache
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2.7.8
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           workspaces: ". -> target"
           cache-on-failure: true
@@ -485,7 +485,7 @@ jobs:
           tool: cargo-llvm-cov
 
       - name: Setup Rust cache
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2.7.8
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           workspaces: ". -> target"
 
@@ -636,7 +636,7 @@ jobs:
           toolchain: stable
 
       - name: Rust cache
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2.7.8
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           workspaces: ". -> target"
           cache-on-failure: true