build,ci: fix Hypatia env, update CI policy text to AffineScript, fix mix path in service unit#43
Merged
hyperpolymath merged 1 commit intomainfrom Apr 30, 2026
Merged
Conversation
… mix path in service unit Three of the four sub-parts of the deferred cleanup ledger from PR #40's out-of-scope list. The fourth (port the 6 .ts cartridge adapters to AffineScript→typed-wasm) is delegated to a scheduled remote agent that fires 2026-05-07 and runs one cartridge per pass. ## .github/workflows/hypatia-scan.yml — fix GITHUB_TOKEN missing The Hypatia scan step was failing on every PR with: Warning: Dependabot alerts unavailable: GITHUB_TOKEN not set — cannot query Dependabot alerts ##[error]Process completed with exit code 1. Hypatia's CLI calls `gh api` for Dependabot alert lookups. Without GITHUB_TOKEN in the env it can't query, and exits non-zero. Other steps in the same workflow had GITHUB_TOKEN set on a per-step basis; this moves it to job-level so all steps see it. Also adds `security-events: read` to permissions (needed for the Dependabot alert API). ## .github/workflows/{rsr-antipattern,ts-blocker}.yml — AffineScript not ReScript Per estate-wide language policy 2026-04-30: RS/TS/JS → AffineScript → typed-wasm. ReScript is also being phased out; only allowed as adapter shims to upstream ReScript-using systems. The CI "use X instead" messages now point at AffineScript, with Zig→WASM called out as the systems-level alternative. Specifically: rsr-antipattern.yml: - Header comment: "Allows: ReScript, Deno, ..." -> "Allows: AffineScript, Deno, Rust/SPARK, ..." with explicit carve-out that ReScript is shim-only. - "use ReScript instead" (TS check) -> "use AffineScript→typed-wasm instead" - "use ReScript instead" (tsconfig check) -> same - Summary banner: lists AffineScript as default, ReScript as transitional / adapter-shim only. ts-blocker.yml: - "port to Zig or ReScript" (existing-TS path) -> "port to Zig or AffineScript" - "use Zig or ReScript instead" (new-JS path) -> "use ... AffineScript→typed-wasm for application code, Zig→WASM for systems" Both keep the underlying detection unchanged; only the user-facing guidance text changes. ## elixir/boj-rest.service — replace hardcoded /usr/bin/mix The unit hardcoded `ExecStart=/usr/bin/mix run --no-halt`, which fails on hosts where Elixir is asdf-managed (the only practical way to get Elixir ≥ 1.15 on Ubuntu 24.04 LTS, since apt ships 1.14). The unit would crash-loop with: ** (Mix) You're trying to run :boj_rest on Elixir v1.14.0 but it has declared in its mix.exs file it supports only Elixir ~> 1.15 Fix: - Adds Environment=PATH including %h/.asdf/shims, %h/.cargo/bin, and %h/.local/bin (in that order before system paths). %h is systemd's home-directory specifier, so the unit is portable across users. - Adds Environment=ASDF_DIR + ASDF_DATA_DIR so the asdf shim resolves correctly under systemd's clean environment. - Changes ExecStart to `mix run --no-halt` (PATH lookup), so the asdf shim picks up whatever Elixir is pinned in .tool-versions (now 1.18.4-otp-25 per the toolchain-pins PR #41). Bumps the cartridge-count comment on LimitNOFILE from 112 to 115 to match the rest of the repo post-#40. ## What this PR does NOT do - Port any of the 6 .ts cartridge adapters to AffineScript. That is delegated to a scheduled remote agent (one cartridge per pass, weekly, starting 2026-05-07). - Re-run any tests. The systemd unit fix is verified via the live install on the maintainer's machine, where boj-rest.service is currently `active (running)` with the patched (deployed-only) Environment=PATH approach. Persisting the fix to the source template is what this PR does. - Touch any cartridge code, build wiring, or non-CI workflow logic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three of the four sub-parts of the deferred cleanup ledger from PR #40's out-of-scope list. The fourth (port the 6
.tscartridge adapters to AffineScript→typed-wasm) is delegated to a scheduled remote agent that fires 2026-05-07 and runs one cartridge per pass, so it stays opportunistic and reviewable.Changes
.github/workflows/hypatia-scan.ymlGITHUB_TOKENenv (Hypatia CLI callsgh apifor Dependabot lookups; without the token it logsDependabot alerts unavailable: GITHUB_TOKEN not setand the job exits non-zero). Addssecurity-events: readpermission..github/workflows/rsr-antipattern.yml.github/workflows/ts-blocker.ymlelixir/boj-rest.serviceExecStart=/usr/bin/mix(which is apt's 1.14, failsmix.exs~> 1.15check on Ubuntu 24.04 LTS) withExecStart=mix run --no-halt. AddsEnvironment=PATHwith asdf shims, cargo bin,~/.local/bin. AddsASDF_DIR+ASDF_DATA_DIRso asdf shims work under systemd's clean env. Bumps cartridge-count comment 112 → 115.Why these specifically
PR #40 (spec drift) merged on 2026-04-30 surfaced four follow-up cleanups; this PR closes three of them. The fourth (
.ts→ AffineScript ports) was deliberately scheduled rather than rushed — verifying AffineScript readiness for each cartridge is genuinely per-cartridge work and the scheduled agent does it one at a time.The
boj-rest.servicefix in particular was discovered the hard way during the maintainer's install: the deployed unit needed a hand-patch (~/.config/systemd/user/boj-rest.service) to point at~/.asdf/installs/elixir/1.18.4-otp-25/bin/mix. Persisting the fix to the source template (with%hsystemd-substitution + asdf shim PATH) means the next person installing on a fresh Ubuntu doesn't repeat the dance.The three pre-existing CI failures that were blocking PRs #40, #41, #42 are likely partially closed by this PR:
GITHUB_TOKENwired up..tscartridge adapters (academic-workflow-mcp,bofig-mcp,ephapax-mcp,fireflag-mcp,hesiod-mcp,sanctify-mcp). Those are the scheduled agent's work. Admin-merge-without-CI is still expected for this PR.Test plan
bash setup.sh && just doctor && just deps && just build && just install-service— confirmboj-rest.servicestarts cleanly without the(Mix) You're trying to run :boj_rest on Elixir v1.14.0error that was previously hit.Out of scope
.ts→ AffineScript ports (scheduled, one per week from 2026-05-07, routinetrig_01X9BreihRW4AU5BdELY2QBY)..so(database-mcp,echidna-llm-mcp,lang-mcp,orchestrator-lsp-mcp) — listed in docs: re-measure cartridge counts and .so build status (2026-04-30) #42 for follow-up.🤖 Generated with Claude Code