Hypatia workflow_audit/cicd_rules: 3 false-positive rule refinements (surfaced by standards workflow audit)

[hyperpolymath]

Context

While fixing the standards-repo workflow startup_failures (#359, #371, #372), the Hypatia security scan repeatedly surfaced findings against this repo's workflows that are false positives — the rules flag structurally-valid GitHub Actions YAML, and "fixing" two of them would actively break the workflows. The actual fixes belong in hyperpolymath/hypatia's rule modules, not here. Filing in standards because (a) hypatia is out of the current agent session's scope, and (b) standards is the estate standards/umbrella hub. Please transfer to hyperpolymath/hypatia if preferred.

Evidence gathered against hyperpolymath/standards@main (post-#372).

1. workflow_audit/missing_timeout_minutes — exempt reusable-caller jobs (false positive)

Flagged on governance.yml, mirror.yml, secret-scanner.yml (and previously scorecard.yml). Each is a single-job thin caller of the form:

jobs:
  governance:
    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@<sha>

timeout-minutes is not a legal key on a job that calls a reusable workflow — adding it produces Invalid workflow ... 'timeout-minutes' is not allowed. The timeout belongs on the reusable's jobs, where it already lives:

caller (flagged)	reusable it calls	reusable job timeout coverage
governance.yml	governance-reusable.yml	9/9 bounded
mirror.yml	mirror-reusable.yml	7/7 bounded
secret-scanner.yml	secret-scanner-reusable.yml	4/4 bounded

Fix: skip the missing_timeout_minutes check for jobs that have a top-level uses: (reusable-workflow callers).

2. workflow_audit/unpinned_action — SHA-truncation misread (false positive)

Flagged twice on governance-reusable.yml, with the reason string:

Action for the check script)\n        uses: actions/checkout@de0f needs attention

The action is actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 — a full 40-char SHA pin. The rule's reason string truncates the ref to de0f and then flags it as unpinned. A comprehensive scan of all root workflows found 0 genuinely-unpinned actions.

Fix: the pin check is matching/parsing a truncated ref. It should treat a 40-hex-char ref as pinned (and the truncation in the reason string is a display bug worth fixing too).

3. cicd_rules/missing_requirement (public_repo) + workflow_audit/missing_workflow — accept scorecard-enforcer.yml (policy gap)

After scorecard.yml was retired (#372, redundant + perpetually startup_failure-ing), the scan raised two high findings requiring a scorecard.yml to exist on public repos. But this repo runs OSSF Scorecard via scorecard-enforcer.yml, which is a strict superset (runs scorecard, uploads SARIF, publishes with publish_results: true, and gates on the aggregate score). The requirement is satisfied in substance; only the filename check fails.

Fix: the public_repo scorecard requirement should accept scorecard-enforcer.yml (or any workflow invoking ossf/scorecard-action) as satisfying it, not just a file literally named scorecard.yml.

Related note (not a request here)

workflow_audit/scorecard_publish_with_run_step continued to flag scorecard-enforcer.yml after #371 split it so no single job mixes ossf/scorecard-action with a run: step. If the rule is matching at file level (scorecard-action and a run: step anywhere in the file) rather than job level, it should be scoped to the job — the OSSF publish contract is per-job. Worth confirming against the rule's implementation.

---

Raised by an agent session scoped to hyperpolymath/standards; could not file directly in hyperpolymath/hypatia (out of scope) nor self-add that repo (session lacks the repo-management tools).

https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82

[hyperpolymath]

Two more false-positive patterns observed (scan on #375, 2026-06-04)

The Hypatia scan ran against #375 and surfaced the items already listed above, plus two new patterns worth folding into the same fix:

5. workflow_audit/secret_action_without_presence_gate — env-indirection presence gate not recognised

Flagged on instant-sync.yml. The root file is correctly presence-gated using the estate's canonical env-indirection pattern (the secrets context isn't valid in if:, so the secret is mapped to job-level env and the step gates on that):

env:
  FARM_DISPATCH_TOKEN: ${{ secrets.FARM_DISPATCH_TOKEN }}
...
    - if: ${{ env.FARM_DISPATCH_TOKEN != '' }}
      uses: peter-evans/repository-dispatch@<sha>

Fix: recognise the env: SECRET → if: env.SECRET != '' presence-gate idiom (not just a direct if: secrets.X check, which is itself invalid YAML).

6. Scanning inert nested workflows / configs as if live (root-only scope)

A large share of the run's 140 findings (incl. the lone critical: banned_language_file on lol/test/vitest.config.ts) come from the lol/ subtree, which carries a complete nested repo scaffold (lol/.github/workflows/scorecard.yml, instant-sync.yml, etc.). Two problems:

• Nested workflows are inert. GitHub Actions only runs the repo-root .github/workflows/. This repo's own scorecard-reusable.yml header says so verbatim: "nested workflows are inert … Sweeping nested copies is single-source-of-truth cleanup, not security hardening." workflow_audit should scope to root .github/workflows/ (or clearly tag nested findings as non-live), not flag lol/.github/workflows/* as live security issues.
• vitest.config.ts exemption not honoured. lol/test/vitest.config.ts matches the documented **/vitest.config.ts tooling carve-out (CLAUDE.md TS-exemptions table) but is flagged critical by cicd_rules/banned_language_file. That carve-out (currently on typescript_detected) needs to apply to banned_language_file too.

NB: lol/ is load-bearing, not junk despite the name — echidna-verify.yml verifies Agda proofs under lol/proofs/theories/**, coordination.k9 registers path: lol/, and CRG/PROOF-NEEDS cite its proofs. Do not resolve these findings by deleting lol/; the fix is in the detector's scope/exemptions.

Net: still zero genuine defects in standards@main root workflows. Items 5–6 join 1–4 as detector-side fixes for hyperpolymath/hypatia.

---

Generated by Claude Code