chore(ci): convert hypatia-scan.yml to wrapper of standards reusable#22
Merged
Conversation
…able Replaces ~416 lines of duplicated Hypatia scan plumbing with a 29-line wrapper calling hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml at SHA 2569c10e831e293f9dd6580d82a494aca039deee (standards#191 HEAD). Behaviour-preserving: same triggers, same concurrency group, same permissions, same secrets passthrough. Refs standards#191.
Standards #191 was closed in favour of #193 (parallel-session implementation with simpler API: zero inputs except runs-on). Repointing the wrapper at #193 HEAD 97df762107501909f50bb770e9bc200b6c415600 so it picks up the merged reusable once #193 lands. Refs standards#193.
🔍 Hypatia Security ScanFindings: 72 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "User-defined Coq axiom -- not verified by kernel (5 occurrences, CWE-704)",
"type": "coq_axiom",
"file": "/home/runner/work/eclexia/eclexia/formal/coq/src/ShadowPrices.v",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (4 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/eclexia/eclexia/playground/public/app.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/eclexia/eclexia/playground/server.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "unwrap_or(0) with dangerous default (4 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/eclexia/eclexia/compiler/eclexia-lexer/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/eclexia/eclexia/compiler/eclexia-mir/src/lower.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "panic! macro causes unrecoverable crash (2 occurrences, CWE-754)",
"type": "panic_macro",
"file": "/home/runner/work/eclexia/eclexia/compiler/eclexia-mir/src/lower.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "from_raw constructs types from raw pointers without safety checks (4 occurrences, CWE-676)",
"type": "from_raw",
"file": "/home/runner/work/eclexia/eclexia/compiler/eclexia-mir/src/lower.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/eclexia/eclexia/compiler/eclexia-wasm/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/eclexia/eclexia/compiler/eclexia/src/repl.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the per-repo
hypatia-scan.yml(416 lines) with a 29-line wrapper callinghyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@2569c10e831e293f9dd6580d82a494aca039deee(standards#191 HEAD SHA).Behaviour-preserving: identical triggers (push/pull_request/schedule/workflow_dispatch), same concurrency group, same permissions (contents:read + security-events:write + pull-requests:write), same secrets passthrough.
Same pattern as the rust-ci wrapper sweep (standards#174 + 82 wrapper PRs filed 2026-05-26).
Pin-to-not-yet-merged-SHA
Intentional: the SHA points at standards#191's PR HEAD. The wrapper file is staged but the action runner won't load the reusable until standards#191 lands on main.
Test plan
pull_requesttriggers run main's old workflow file (target-branch semantics)Refs standards#191.
🤖 Generated with Claude Code