Commit bf355fb
ci(workflow): adopt hardened hypatia-scan from hyperpolymath/hypatia#237 (#126)
* ci(workflow): adopt hardened hypatia-scan from hyperpolymath/hypatia#237
Replaces the local copy of `.github/workflows/hypatia-scan.yml` with the
canonical version from upstream main. The old copy had three issues that
combined to break every Dependabot PR:
1. `working-directory: \${{ env.HOME }}/hypatia\``, where `env.HOME`
is not a GHA context — it evaluated to empty, so `cd /hypatia`
failed and the scanner was never built.
2. `hypatia-cli.sh scan .` without `--exit-zero` — scanner exit-1 on
findings short-circuited the rest of the step under `set -e`.
3. No baseline gate, so any pre-existing critical/high failed the build.
Upstream version:
- captures scanner exit code + stderr (visible on crash)
- falls back to `[]` on missing/invalid JSON
- reads `.hypatia-baseline.json` and fails only on NET-NEW critical/high
- scopes permissions narrowly (contents: read, pull-requests: write)
- marks the PR-comment step `continue-on-error: true` so Dependabot PRs
(read-only token) don't fail on the unavoidable 403
Baseline file follows in a second commit on this branch — first we need
the new workflow to actually run and capture current findings.
Unblocks PR #125 (CODEOWNERS) which is stuck on this exact scan.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* ci(fixup): restore newlines in hypatia-scan.yml
Previous commit on this branch wrote the YAML as a single line due to a
PowerShell encoding/-NoNewline mistake on my end. This re-applies the
canonical workflow content byte-for-byte, with line breaks intact, so
GitHub Actions can parse it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* ci(baseline): seed/refresh .hypatia-baseline.json from new workflow's first scan
Captured from run 25856297607 on this branch. 16 critical+high entries accepted as pre-existing baseline. Net-new findings going forward will still fail the gate.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>1 parent 10dd20d commit bf355fb
1,778 files changed
Lines changed: 207 additions & 323984 deletions
File tree
- .claude
- .github
- workflows
- .machine_readable
- 6a2
- agent_instructions
- anchors
- contractiles
- dust
- trust
- integrations
- .well-known
- LICENSES
- bots
- accessibilitybot
- src
- analyzers
- fleet
- report
- tests
- fixtures
- cipherbot
- policies
- src
- analyzers
- tests
- fixtures
- echidnabot
- benches
- config
- contracts
- docs
- content
- templates
- echidna
- examples
- fuzz
- fuzz_targets
- hooks
- packaging
- arch
- aur
- chocolatey
- debian
- flatpak
- macports
- rpm
- scoop
- winget
- scripts
- src
- adapters
- api
- dispatcher
- executor
- fleet
- modes
- scheduler
- store
- trust
- tests
- wiki
- finishingbot
- benches
- docs
- examples
- fuzz
- fuzz_targets
- src
- analyzers
- tests
- glambot
- benches
- bot-integration/src
- fuzz
- fuzz_targets
- src
- analyzers
- config
- tests
- gsbot
- content
- docs
- docs
- scripts
- src
- bot
- cogs
- config
- models
- services
- utils
- templates
- tests
- integration
- unit
- panicbot
- src
- tests
- rhodibot
- fuzz
- fuzz_targets
- hooks
- src
- tests
- seambot
- fuzz
- fuzz_targets
- hooks
- spec/schema
- src
- forge
- tests
- fixtures
- missing-register
- valid-register/spec/seams
- checklists
- conformance
- sustainabot
- analyzers/code-haskell
- app
- src
- Eco
- Quality
- Types
- test
- bot-integration
- bindings
- lib
- ocaml
- rescript-runtime
- scripts
- src
- tea
- config
- containers
- crates
- sustainabot-analysis
- src
- sustainabot-cli
- src
- sustainabot-eclexia
- src
- sustainabot-fleet
- src
- sustainabot-metrics
- src
- sustainabot-sarif
- src
- databases
- arangodb
- virtuoso
- docs
- examples
- fuzz
- fuzz_targets
- guix
- hooks
- nix
- policies
- policy-engine
- datalog
- deepproblog
- prompts
- the-hotchocolabot
- docs
- competition
- education
- activities
- assessments
- workshops
- examples
- fuzz
- fuzz_targets
- hardware
- assembly
- bom
- schematics
- src
- config
- control
- hardware
- safety
- campaigns
- contractiles
- intend
- must
- trust
- dashboard
- src
- static
- deploy
- systemd
- docs
- hooks
- robot-repo-automaton
- .claude
- .clusterfuzzlite
- .github
- ISSUE_TEMPLATE
- workflows
- .machine_readable/6a2
- contractiles
- dust
- k9
- examples
- lust
- must
- docs
- fuzz
- fuzz_targets
- src
- templates
- tests
- scripts
- lib
- tasks
- tests
- fuzz
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
0 commit comments