fix(ci): keep scorecard-action jobs uses-only (split compute-score from gate)#371
Merged
Merged
Conversation
…om gate) PR #359 fixed the enforcer's score-reading bug (read `.score` from JSON instead of the absent SARIF field) but reintroduced the job-structure bug #304 had deliberately removed: it put `ossf/scorecard-action` and a `run:` step in the same `check-score` job. OSSF's publish path requires scorecard-action jobs to be uses-only; hypatia flags this as `scorecard_publish_with_run_step` (high). Split the score path into two jobs: `compute-score` (uses-only — scorecard-action in JSON mode with publish_results:false, then upload-artifact) hands the JSON to `check-score` (download-artifact + the jq gate, no scorecard-action). Every scorecard-action job is now uses-only; MIN_SCORE=5 and the publish `scorecard` job are unchanged. No SPDX/licence edit. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
🔍 Hypatia Security ScanFindings: 139 issues detected
View findings[
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard.yml",
"type": "missing_timeout_minutes",
"file": "scorecard.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in secret-scanner.yml",
"type": "missing_timeout_minutes",
"file": "secret-scanner.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 4, 2026
…yml) (#372) ## Why `.github/workflows/scorecard.yml` (the "Scorecards supply-chain security" workflow) has `startup_failure`'d on **every** push to `main` — confirmed across the last several pushes through the latest commit (`e4c7d96`). It's a thin caller of `scorecard-reusable.yml@3f34549`, and the reusable **at that pinned SHA is itself valid** (I fetched it — identical to `main`'s copy minus the later `timeout-minutes` line). So this isn't a malformed-file bug; it's a redundant second scorecard run the standards repo doesn't need. ## Decision: retire, not repair `scorecard-enforcer.yml` (hardened in #371) is a **strict superset**: | Capability | `scorecard.yml` (reusable) | `scorecard-enforcer.yml` | |---|---|---| | Run OSSF Scorecard | ✅ | ✅ | | Upload SARIF | ✅ | ✅ | | **Publish to OSSF registry** | ❌ (reusable doesn't set `publish_results`) | ✅ `publish_results: true` | | **Score gate** (`MIN_SCORE`) | ❌ | ✅ | The thin-caller→reusable pattern is the estate convention for **downstream** repos. The standards repo is special — it *hosts* `scorecard-reusable.yml` and runs the *enforcer*, so it doesn't need the thin caller too. ## Safety - No other in-repo references to `scorecard.yml` (`grep` clean). - **Not a required status check** — pushes have been merging despite its red, so removing it cannot block merges. - **`scorecard-reusable.yml` is untouched** — downstream callers across the estate are unaffected. - Net: removes a perpetually-red check and a duplicate scorecard run, **zero functional loss** (publishing + SARIF + gate all remain via the enforcer). ## Alternative (rejected) Repairing the caller's `startup_failure` and keeping it would preserve the redundant double-run. If you'd rather keep the thin caller as the canonical pattern *in this repo too*, say so and I'll repair the startup_failure instead of deleting. ## Guardrail No `LICENSE` file or SPDX header touched. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82 --- _Generated by [Claude Code](https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82)_ Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 4, 2026
…t thread (#375) ## Why Closes out the workflow-`startup_failure` / `workflow_audit` thread. The substantive fixes already merged (#359, #371, #372); this is the residual cleanup. After #372 retired the redundant `scorecard.yml` thin caller, one stale reference was left behind: the header comment in `scorecard-reusable.yml` still named `hyperpolymath/standards/.github/workflows/scorecard.yml` as "the actual canonical caller" — a file that no longer exists. ## What - **`scorecard-reusable.yml`** — update the `CANONICAL SCHEDULE` note: standards now runs OSSF Scorecard directly via `scorecard-enforcer.yml` (weekly Mon 06:00 UTC; publishes + gates on `MIN_SCORE`). Clarifies the reusable itself is **unchanged**, so downstream thin-caller wrappers (the canonical estate pattern) are unaffected. Comment-only. ## Not touched / out of scope - `docs/audits/workflow-convergence-campaign-2026-05-26.md` references `scorecard.yml` too, but it's a **dated historical snapshot** — not rewritten. - No `LICENSE`/SPDX header touched (header stays `MPL-2.0`). Steers clear of the in-flight licence-normalisation PR (#373). ## Companion The remaining actionable work is **not** in this repo — it's three Hypatia rule false positives surfaced during this thread, tracked in **#374** (to be transferred to `hyperpolymath/hypatia`). A full handover brief was produced for that. ## Merge note The branch carried a pre-#371 copy of `scorecard-enforcer.yml`; the merge from `main` was resolved in favour of `main`'s hardened (uses-only split) version, so the enforcer is byte-identical to `main`. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82 --- _Generated by [Claude Code](https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
PR #359 fixed the enforcer's score-reading bug (read
.scorefrom scorecard's JSON output instead of the absent SARIF field), but in doing so it reintroduced the job-structure bug that #304 had deliberately removed: it placedossf/scorecard-actionand arun:step in the samecheck-scorejob. OSSF's publish path requires scorecard-action jobs to beuses:-only, and hypatia flags this asscorecard_publish_with_run_step(high) — which is exactly what the post-merge scan on #359 caught.What
Split the score path into two jobs:
compute-score—uses:-only:checkout→scorecard-action(JSON mode,publish_results: false, so no publish + no OIDC) →upload-artifact(results.json).check-score—download-artifact→ thejq .scoregate. No scorecard-action.This mirrors the publish/gate split #304 established for the SARIF path. Verified every scorecard-action job is now
uses:-only:scorecard(publish)compute-scorecheck-scorecheck-criticalMIN_SCORE=5and the publishscorecardjob are unchanged — posture untouched. As before, this makes the gate accurate, not automatically green (a real score < 5 will correctly fail).Guardrail
No
LICENSEfile or SPDX header touched. Workflow logic only.https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
Generated by Claude Code