ci(hypatia-scan): repin reusable to merge-commit SHA (orphan-SHA fix)#69
Closed
hyperpolymath wants to merge 1 commit into
Closed
ci(hypatia-scan): repin reusable to merge-commit SHA (orphan-SHA fix)#69hyperpolymath wants to merge 1 commit into
hyperpolymath wants to merge 1 commit into
Conversation
The wrapper pins to 97df762..., the PR-branch commit on standards#193 that was orphaned after squash-merge. The new pin 915139d7... is the merge-commit SHA on standards/main; file content is byte-identical. Estate fix: ~100 repos affected by the same orphan.
🔍 Hypatia Security ScanFindings: 45 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/panic-attack/panic-attack/reports/panic-attack-20260211180017.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/panic-attack/panic-attack/src/attestation/chain.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/attestation/evidence.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/ambush/mod.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/kanren/strategy.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/panic-attack/panic-attack/src/axial/mod.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "expect() in hot path (4 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/panic-attack/panic-attack/src/assail/analyzer.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unwrap() without prior check -- DoS via panic (4 occurrences, CWE-754)",
"type": "unwrap_without_check",
"file": "/home/runner/work/panic-attack/panic-attack/benches/scan_bench.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/panic-attack/panic-attack/benches/scan_bench.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Owner
Author
|
Closed as superseded: main already carries a newer SHA at the workflow location(s) this PR proposes to update. Rebasing would regress main. Refile against current main if a future repin is needed. (ERR-PR-001 — auto-closed via fix-close-obsolete-pr.sh.) |
auto-merge was automatically disabled
May 27, 2026 13:16
Pull request was closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
hypatia-scan.ymlwrapper pins to97df762...— the PR-branch commit of standards#193, not its merge commit. After the squash-merge, that PR-branch SHA was orphaned. GitHub Actions can no longer resolve the reusable, so every hypatia-scan run fails at parse stage (jobs: [], banner: "This run likely failed because of a workflow file issue").Diagnosis
97df762107501909f50bb770e9bc200b6c415600— PR-branch commit on standards#193 (orphaned).915139d73560e65a8240b8fc7768698658502c89— actual merge-commit on standards/main.Verification:
File content at both SHAs is byte-identical; only the reachability differs.
Estate scope
This is one of ~100 PRs in the sweep (
gh search code "@97df762" --owner hyperpolymathreturned 100 hits). Reusables-campaign closure track. Seehyperpolymath/standards#220for the closure audit doc.🤖 Generated with Claude Code