feat: initialize v2 grammar development track #571
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: PMPL-1.0-or-later | |
| # Hypatia Neurosymbolic CI/CD Security Scan | |
| name: Hypatia Security Scan | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master ] | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly on Sunday | |
| workflow_dispatch: | |
| permissions: read-all | |
| jobs: | |
| scan: | |
| name: Hypatia Neurosymbolic Analysis | |
| runs-on: ubuntu-latest | |
| env: | |
| # ${{ env.HOME }} is empty in working-directory context (HOME is not in | |
| # env unless explicitly set), which makes the directory resolve to "/hypatia" | |
| # and the build step fails with "No such file or directory". A job-level env | |
| # var is visible to both shell ($HYPATIA_DIR) and Actions expressions | |
| # (${{ env.HYPATIA_DIR }}). | |
| HYPATIA_DIR: /home/runner/hypatia | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | |
| with: | |
| fetch-depth: 0 # Full history for better pattern analysis | |
| - name: Setup Elixir for Hypatia scanner | |
| uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.18.2 | |
| with: | |
| elixir-version: '1.19.4' | |
| otp-version: '28.3' | |
| - name: Clone Hypatia | |
| run: | | |
| if [ ! -d "$HYPATIA_DIR" ]; then | |
| git clone https://github.com/hyperpolymath/hypatia.git "$HYPATIA_DIR" | |
| fi | |
| - name: Build Hypatia scanner (if needed) | |
| working-directory: ${{ env.HYPATIA_DIR }} | |
| run: | | |
| if [ ! -f hypatia-v2 ]; then | |
| echo "Building hypatia-v2 scanner..." | |
| mix deps.get | |
| mix escript.build | |
| mv hypatia hypatia-v2 | |
| fi | |
| - name: Run Hypatia scan | |
| id: scan | |
| continue-on-error: true # scanner exits 1 on infra errors; critical findings block via the separate Check step | |
| env: | |
| # Hypatia uses Dependabot alerts as one of its signal sources. | |
| # Without GITHUB_TOKEN it warns and exits 1. The default GITHUB_TOKEN | |
| # has the security_events:read scope needed to query alerts. | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "Scanning repository: ${{ github.repository }}" | |
| # Run scanner | |
| HYPATIA_FORMAT=json "$HYPATIA_DIR/hypatia-cli.sh" scan . > hypatia-findings.json | |
| # Count findings | |
| FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0) | |
| echo "findings_count=$FINDING_COUNT" >> $GITHUB_OUTPUT | |
| # Extract severity counts | |
| CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json) | |
| HIGH=$(jq '[.[] | select(.severity == "high")] | length' hypatia-findings.json) | |
| MEDIUM=$(jq '[.[] | select(.severity == "medium")] | length' hypatia-findings.json) | |
| echo "critical=$CRITICAL" >> $GITHUB_OUTPUT | |
| echo "high=$HIGH" >> $GITHUB_OUTPUT | |
| echo "medium=$MEDIUM" >> $GITHUB_OUTPUT | |
| echo "## Hypatia Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "- Total findings: $FINDING_COUNT" >> $GITHUB_STEP_SUMMARY | |
| echo "- Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY | |
| echo "- High: $HIGH" >> $GITHUB_STEP_SUMMARY | |
| echo "- Medium: $MEDIUM" >> $GITHUB_STEP_SUMMARY | |
| - name: Upload findings artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: hypatia-findings | |
| path: hypatia-findings.json | |
| retention-days: 90 | |
| - name: Submit findings to gitbot-fleet (Phase 2) | |
| if: steps.scan.outputs.findings_count > 0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| GITHUB_SHA: ${{ github.sha }} | |
| run: | | |
| echo "📤 Submitting ${{ steps.scan.outputs.findings_count }} findings to gitbot-fleet..." | |
| # Clone gitbot-fleet to temp directory | |
| FLEET_DIR="/tmp/gitbot-fleet-$$" | |
| git clone https://github.com/hyperpolymath/gitbot-fleet.git "$FLEET_DIR" | |
| # Run submission script | |
| bash "$FLEET_DIR/scripts/submit-finding.sh" hypatia-findings.json | |
| # Cleanup | |
| rm -rf "$FLEET_DIR" | |
| echo "✅ Finding submission complete" | |
| - name: Check for critical issues | |
| if: steps.scan.outputs.critical > 0 | |
| run: | | |
| echo "⚠️ Critical security issues found!" | |
| echo "Review hypatia-findings.json for details" | |
| # Don't fail the build yet - just warn | |
| # exit 1 | |
| - name: Generate scan report | |
| run: | | |
| cat << EOF > hypatia-report.md | |
| # Hypatia Security Scan Report | |
| **Repository:** ${{ github.repository }} | |
| **Scan Date:** $(date -u +"%Y-%m-%d %H:%M:%S UTC") | |
| **Commit:** ${{ github.sha }} | |
| ## Summary | |
| | Severity | Count | | |
| |----------|-------| | |
| | Critical | ${{ steps.scan.outputs.critical }} | | |
| | High | ${{ steps.scan.outputs.high }} | | |
| | Medium | ${{ steps.scan.outputs.medium }} | | |
| | **Total**| ${{ steps.scan.outputs.findings_count }} | | |
| ## Next Steps | |
| 1. Review findings in the artifact: hypatia-findings.json | |
| 2. Auto-fixable issues will be addressed by robot-repo-automaton (Phase 3) | |
| 3. Manual review required for complex issues | |
| ## Learning | |
| These findings feed Hypatia's learning engine to improve future rules. | |
| --- | |
| *Powered by [Hypatia](https://github.com/hyperpolymath/hypatia) - Neurosymbolic CI/CD Intelligence* | |
| EOF | |
| cat hypatia-report.md >> $GITHUB_STEP_SUMMARY | |
| - name: Comment on PR with findings | |
| if: github.event_name == 'pull_request' && steps.scan.outputs.findings_count > 0 | |
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const findings = JSON.parse(fs.readFileSync('hypatia-findings.json', 'utf8')); | |
| const critical = findings.filter(f => f.severity === 'critical').length; | |
| const high = findings.filter(f => f.severity === 'high').length; | |
| let comment = `## 🔍 Hypatia Security Scan\n\n`; | |
| comment += `**Findings:** ${findings.length} issues detected\n\n`; | |
| comment += `| Severity | Count |\n|----------|-------|\n`; | |
| comment += `| 🔴 Critical | ${critical} |\n`; | |
| comment += `| 🟠 High | ${high} |\n`; | |
| comment += `| 🟡 Medium | ${findings.length - critical - high} |\n\n`; | |
| if (critical > 0) { | |
| comment += `⚠️ **Action Required:** Critical security issues found!\n\n`; | |
| } | |
| comment += `<details><summary>View findings</summary>\n\n`; | |
| comment += `\`\`\`json\n${JSON.stringify(findings.slice(0, 10), null, 2)}\n\`\`\`\n`; | |
| comment += `</details>\n\n`; | |
| comment += `*Powered by Hypatia Neurosymbolic CI/CD Intelligence*`; | |
| github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: comment | |
| }); |