ci: retire redundant scorecard.yml (superseded by scorecard-enforcer.yml)#372
Merged
Merged
Conversation
…yml) scorecard.yml is a thin caller of scorecard-reusable.yml@3f34549c that has startup_failed on EVERY push to main (confirmed across the last several pushes, through the latest commit). The reusable at the pinned SHA is itself valid, so this is not a malformed-file issue — it is a redundant second scorecard run the standards repo does not need. scorecard-enforcer.yml is a strict superset: it runs ossf/scorecard-action, uploads SARIF, publishes to the OSSF registry (publish_results: true — which scorecard.yml's reusable does not), AND gates on the aggregate score. The thin-caller -> reusable pattern is the estate convention for DOWNSTREAM repos; the standards repo hosts the reusable and runs the enforcer, so it does not need the thin caller as well. scorecard.yml is not a required status check (pushes merge despite its red), so removing it cannot block merges. scorecard-reusable.yml is untouched — downstream callers are unaffected. No functional loss; removes a perpetually red check and a duplicate scorecard run. Alternative considered (repair the caller instead of retiring): rejected as it would preserve the redundant double-run. If you'd rather keep the thin caller, say so and I'll repair its startup_failure instead. No SPDX/licence edit. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
🔍 Hypatia Security ScanFindings: 140 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in secret-scanner.yml",
"type": "missing_timeout_minutes",
"file": "secret-scanner.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 4, 2026
…t thread (#375) ## Why Closes out the workflow-`startup_failure` / `workflow_audit` thread. The substantive fixes already merged (#359, #371, #372); this is the residual cleanup. After #372 retired the redundant `scorecard.yml` thin caller, one stale reference was left behind: the header comment in `scorecard-reusable.yml` still named `hyperpolymath/standards/.github/workflows/scorecard.yml` as "the actual canonical caller" — a file that no longer exists. ## What - **`scorecard-reusable.yml`** — update the `CANONICAL SCHEDULE` note: standards now runs OSSF Scorecard directly via `scorecard-enforcer.yml` (weekly Mon 06:00 UTC; publishes + gates on `MIN_SCORE`). Clarifies the reusable itself is **unchanged**, so downstream thin-caller wrappers (the canonical estate pattern) are unaffected. Comment-only. ## Not touched / out of scope - `docs/audits/workflow-convergence-campaign-2026-05-26.md` references `scorecard.yml` too, but it's a **dated historical snapshot** — not rewritten. - No `LICENSE`/SPDX header touched (header stays `MPL-2.0`). Steers clear of the in-flight licence-normalisation PR (#373). ## Companion The remaining actionable work is **not** in this repo — it's three Hypatia rule false positives surfaced during this thread, tracked in **#374** (to be transferred to `hyperpolymath/hypatia`). A full handover brief was produced for that. ## Merge note The branch carried a pre-#371 copy of `scorecard-enforcer.yml`; the merge from `main` was resolved in favour of `main`'s hardened (uses-only split) version, so the enforcer is byte-identical to `main`. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82 --- _Generated by [Claude Code](https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
.github/workflows/scorecard.yml(the "Scorecards supply-chain security" workflow) hasstartup_failure'd on every push tomain— confirmed across the last several pushes through the latest commit (e4c7d96). It's a thin caller ofscorecard-reusable.yml@3f34549c, and the reusable at that pinned SHA is itself valid (I fetched it — identical tomain's copy minus the latertimeout-minutesline). So this isn't a malformed-file bug; it's a redundant second scorecard run the standards repo doesn't need.Decision: retire, not repair
scorecard-enforcer.yml(hardened in #371) is a strict superset:scorecard.yml(reusable)scorecard-enforcer.ymlpublish_results)publish_results: trueMIN_SCORE)The thin-caller→reusable pattern is the estate convention for downstream repos. The standards repo is special — it hosts
scorecard-reusable.ymland runs the enforcer, so it doesn't need the thin caller too.Safety
scorecard.yml(grepclean).scorecard-reusable.ymlis untouched — downstream callers across the estate are unaffected.Alternative (rejected)
Repairing the caller's
startup_failureand keeping it would preserve the redundant double-run. If you'd rather keep the thin caller as the canonical pattern in this repo too, say so and I'll repair the startup_failure instead of deleting.Guardrail
No
LICENSEfile or SPDX header touched.https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
Generated by Claude Code