diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index d2dcad7..4b68c7e 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -10,6 +10,52 @@ https://semver.org/[Semantic Versioning]. == [Unreleased] +=== Added + +==== `WorkflowAudit` rules WF014–WF017 (2026-05-30, PRs #393 + #396) + +Four new forward-detection rules surfacing patterns root-fixed in +companion `hyperpolymath/standards` PRs. All four smoke-tested for +both sensitivity (positive case fires) and specificity (inverse case +silent); see the per-rule `@doc` blocks in `lib/rules/workflow_audit.ex` +for the test matrix. + +* **WF014** `scorecard_publish_with_run_step` (#393) — fires when a + job uses `ossf/scorecard-action` with `publish_results: true` AND + contains a `run:` step in the same job. The OSSF publish endpoint + enforces "scorecard job must only have steps with uses"; any + co-located `run:` step fails the publish + the whole workflow run. + Caught 49 estate repos on the 2026-05-30 audit; template fix in + `standards#304`. +* **WF015** `nonroot_container_checkout_eacces` (#393) — fires when + `container.image:` is on the curated non-root-user list + (`coqorg/coq`, `leanprover/lean4`, `makarius/isabelle`, `haskell:`, + `rocker/r-`, `jekyll/jekyll`) AND uses `actions/checkout` AND + lacks `container.options: --user root`. Caught ephapax `coq-build.yml` + where the checkout post-step failed with EACCES writing + `/__w/_temp/_runner_file_commands/` as the non-root container user. + Does NOT fire on generic `ubuntu:22.04` / `node:18` / `alpine:latest` + (root by default). +* **WF016** `orphan_reusable_sha_pin` (#393) — data-driven rule; + detects callers pinning to known-orphan SHAs of + `hyperpolymath/standards/.github/workflows/-reusable.yml`. + Initial orphan list: `hypatia-scan-reusable.yml@97df7621*` + + `rust-ci-reusable.yml@4fdf4314*`. Caught 178 estate repos; fan-out + recipe in `audit-hypatia-pin-orphan-2026-05-27.adoc`. +* **WF017** `secret_action_without_presence_gate` (#396) — fires + when a workflow step uses one of the curated + `@secret_consuming_actions` (`webfactory/ssh-agent`, + `peter-evans/repository-dispatch`, + `peter-evans/create-pull-request`, + `actions-ecosystem/action-create-comment`) with `${{ secrets.X }}` + as its primary input AND lacks an `if: secrets.X != ''` gate. + Caught Mirror radicle (26 repos) + Instant Sync (39 repos) on the + 2026-05-30 audit; source-level fix in `standards#305`. + +The `audit/3` entry point in `lib/rules/workflow_audit.ex` was +extended to thread the four new check functions into its return +`findings` list and the count summary fields. + === Changed ==== docs/ second-pass bucketing (2026-05-25, post-#315)