Skip to content

[campaign] Estate scorecard.yml wrapper sweep — add job-level permissions (37 repos) #282

Open
Open
[campaign] Estate scorecard.yml wrapper sweep — add job-level permissions (37 repos)#282
Labels
campaignMulti-PR multi-session estate campaigncicdCI/CD pipeline, GitHub Actions, workflows, rulesets, releases
@hyperpolymath

Description

@hyperpolymath
hyperpolymath
opened on May 30, 2026

Campaign overview

37 .github/workflows/scorecard.yml wrappers across the estate use the standards scorecard-reusable.yml but lack the required job-level permissions: { security-events: write, id-token: write } block. Each silently fails on every Scorecard run with startup_failure.

Why

Reusable-workflow permission inheritance caps called-workflow permissions by the caller's block. Without job-level overrides, ossf/scorecard-action cannot upload SARIF — the run fails before any job logs are generated.

The standards canonical example (standards/.github/workflows/scorecard.yml) is correct. The bug is in DOWNSTREAM wrappers that were authored before this constraint was understood.

Affected repos (37 wrappers, 35 unique top-level)

ambientops, absolute-zero, affinescript, betlang, boj-server, burble, candy-crash, conflow, developer-ecosystem, echidna, echo-types, eclexia, ephapax, file-soup, gitbot-fleet, hesiod-dns-map, heterogenous-mobile-computing, hypatia, januskey, laminar, nextgen-languages, nextgen-typing, odds-and-sods-package-manager, oikos, panic-attack, panll, proven, quandledb, reposystem, robodog-ecm, rsr-template-repo, session-sentinel, stapeln, typed-wasm, verisimdb.

Nested inert (don't auto-run, but worth fixing for hygiene): maa-framework/absolute-zero/, idaptik/idaptik/.

Excluded by policy: echo-types/ (owner actively working — hands-off).

Fix shape

For each affected scorecard.yml, insert under jobs.analysis: (above uses:):

    permissions:
      security-events: write
      id-token: write

Sequencing

  • ✅ Demonstrative fix shipped: absolute-zero#68 (OPEN, 2026-05-30)
  • ✅ Detection rule issue: hyperpolymath/hypatia (filed alongside this)
  • ⏳ Per-repo fix PRs (~36 remaining) — staggered to avoid GitHub secondary rate-limit (~5 PRs / 30min). Multi-session sweep.

Constraints

  • All commits GPG-signed (canonical key 4A03639C...)
  • Auto-merge squash + delete-branch
  • Skip echo-types/
  • Per-PR ownership gate (owner=hyperpolymath, isFork=false) — already verified for all 35 top-level via prior estate audits

Acceptance

  • 35 PRs land (36 if both nested-monorepo copies bundled)
  • Hypatia rule (when shipped) reports 0 violations
  • Scorecard runs succeed estate-wide

Prior art

  • Original bug: julia-professional-registry#19 (2026-05-27)
  • Memory: feedback_scorecard_wrapper_caller_permissions.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    campaignMulti-PR multi-session estate campaigncicdCI/CD pipeline, GitHub Actions, workflows, rulesets, releases

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions