Skip to content

ci(hypatia-scan): repin reusable to merge-commit SHA (orphan-SHA fix)#90

Merged
hyperpolymath merged 2 commits into
mainfrom
ci/hypatia-scan-pin-fix
May 28, 2026
Merged

ci(hypatia-scan): repin reusable to merge-commit SHA (orphan-SHA fix)#90
hyperpolymath merged 2 commits into
mainfrom
ci/hypatia-scan-pin-fix

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 28, 2026

The hypatia-scan.yml wrapper landed in #66 pinned to 97df762107501909f50bb770e9bc200b6c415600 — the SHA of the hypatia-scan-reusable.yml commit on standards#193's feature branch.

After standards#193 was squash-merged into standards/main on 2026-05-26, that feature-branch commit was orphaned (gh api repos/.../compare/main...97df762 reports status: diverged, ahead_by: 1, behind_by: 24). GitHub Actions cannot resolve reusable-workflow references to orphaned commits, so every hypatia-scan run since #73 merged has failed at the workflow-parse stage with "This run likely failed because of a workflow file issue" — the run JSON shows jobs: [] because no job is ever instantiated.

The required check Hypatia Neurosymbolic Analysis (per branch protection on main) is therefore never produced, blocking every PR including #72 (proof-debt items 1-8) and #74 (items 7+8 deepening).

Repin to 915139d73560e65a8240b8fc7768698658502c89, the actual merge-commit SHA on standards/main. File content at this SHA is byte-identical to the orphan (diff -q returns empty), but the commit is reachable from standards/main, so the GitHub Actions runner can resolve it and the workflow's scan job actually instantiates.

Estate impact: ~250+ repos across hyperpolymath/* pin the same orphaned SHA (verified via gh search code "@97df762"). This is a typed-wasm-local fix; standards-side closure of the estate-wide sweep is upstream work tracked separately under the reusables campaign (standards#215 closure doc, hypatia#336-339 detection issues).

Summary

Changes

RSR Quality Checklist

Required

  • Tests pass (just test or equivalent)
  • Code is formatted (just fmt or equivalent)
  • Linter is clean (no new warnings or errors)
  • No banned language patterns (no TypeScript, no npm/bun, no Go/Python)
  • No unsafe blocks without // SAFETY: comments
  • No banned functions (believe_me, unsafeCoerce, Obj.magic, Admitted, sorry)
  • SPDX license headers present on all new/modified source files
  • No secrets, credentials, or .env files included

As Applicable

  • .machine_readable/STATE.a2ml updated (if project state changed)
  • .machine_readable/ECOSYSTEM.a2ml updated (if integrations changed)
  • .machine_readable/META.a2ml updated (if architectural decisions changed)
  • Documentation updated for user-facing changes
  • TOPOLOGY.md updated (if architecture changed)
  • CHANGELOG or release notes updated
  • New dependencies reviewed for license compatibility (MPL-2.0 / MPL-2.0)
  • ABI/FFI changes validated (src/interface/abi/ and src/interface/ffi/ consistent)

Testing

Screenshots

hyperpolymath and others added 2 commits May 26, 2026 23:46
@hyperpolymath @claude
ci(hypatia-scan): repin reusable to merge-commit SHA (orphan-SHA fix)
8d5f955 
The `hypatia-scan.yml` wrapper landed in #66 pinned to
`97df762107501909f50bb770e9bc200b6c415600` — the SHA of the
hypatia-scan-reusable.yml commit on standards#193's feature branch.

After standards#193 was squash-merged into standards/main on 2026-05-26,
that feature-branch commit was orphaned (`gh api repos/.../compare/main...97df762`
reports `status: diverged, ahead_by: 1, behind_by: 24`).  GitHub
Actions cannot resolve reusable-workflow references to orphaned
commits, so every hypatia-scan run since #73 merged has failed at the
workflow-parse stage with "This run likely failed because of a
workflow file issue" — the run JSON shows `jobs: []` because no job
is ever instantiated.

The required check `Hypatia Neurosymbolic Analysis` (per branch
protection on main) is therefore never produced, blocking every PR
including #72 (proof-debt items 1-8) and #74 (items 7+8 deepening).

Repin to `915139d73560e65a8240b8fc7768698658502c89`, the actual
merge-commit SHA on standards/main.  File content at this SHA is
byte-identical to the orphan (`diff -q` returns empty), but the
commit is reachable from standards/main, so the GitHub Actions
runner can resolve it and the workflow's `scan` job actually
instantiates.

Estate impact: ~250+ repos across hyperpolymath/* pin the same
orphaned SHA (verified via `gh search code "@97df762"`).  This is a
typed-wasm-local fix; standards-side closure of the estate-wide
sweep is upstream work tracked separately under the reusables
campaign (standards#215 closure doc, hypatia#336-339 detection
issues).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath
Merge branch 'main' into ci/hypatia-scan-pin-fix
95442e5 
Signed-off-by: Jonathan D.A. Jewell <6759885+hyperpolymath@users.noreply.github.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 28, 2026 20:36
@hyperpolymath hyperpolymath disabled auto-merge May 28, 2026 20:36
@hyperpolymath hyperpolymath merged commit 1a6f3e8 into main May 28, 2026
27 of 28 checks passed
@hyperpolymath hyperpolymath deleted the ci/hypatia-scan-pin-fix branch May 28, 2026 20:37
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

🔍 Hypatia Security Scan

Findings: 96 issues detected

Severity Count
🔴 Critical 8
🟠 High 19
🟡 Medium 69

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "unknown",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in c5-regenerate.yml",
    "type": "unknown",
    "file": "c5-regenerate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cargo-audit.yml",
    "type": "unknown",
    "file": "cargo-audit.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "unknown",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath