Chore/gitignore npm editorconfig claude 67 68#83
Merged
hyperpolymath merged 12 commits intoMay 24, 2026
Conversation
Fixes estate-wide Hypatia Security Scan + Static Analysis Gate red. The pinned SHA `65c79d7...` for `actions/upload-artifact@v4` no longer resolves; current v4 = `ea165f8d`. Tracked in `hyperpolymath/hypatia#213`.
Fixes the lockfile drift left on `main` when #58 merged with only `package.json` updated. `npm install` regenerates `package-lock.json` cleanly; `@types/node` resolves to `20.19.41` (highest compatible with the new `^20.19.40` range). Follow-up to the cherry-pick recovery flagged in #58 — the Contents-API write for the lockfile failed during the recovery, so the merge landed in a drifted state until now.
…s step (#63) `workflow-linter.yml` fails with 0 jobs in 0 seconds because of a YAML block-scalar bug at the "Check Permissions Declaration" step. The `run: |` block contains: ```yaml echo "Add 'permissions: contents: read' at workflow level" ``` The second line has only 2 spaces of leading indent, which is LESS than the 10-space indent of the `run: |` block scalar. YAML terminates the block at the first line and treats ` contents: read' at workflow level"` as a top-level mapping fragment — making the whole workflow invalid. GitHub Actions then rejects the workflow during validation, completing the run with no jobs spawned. Mirrors hyperpolymath/stapeln#35 — same regex-targeted fix that replaces the broken 2-line echo with two valid one-line echoes preserving the user-facing message: ```yaml echo "Add 'permissions:'" echo " contents: read' at workflow level" ``` After this fix, the Workflow Security Linter actually runs and reports SPDX/permissions/SHA-pin/duplicate findings as designed.
**rsr-antipattern.yml**: deletes the orphan duplicate Python script (lines 274-428) that escapes the heredoc and exits 127. Mirrors hyperpolymath/rsr-template-repo#39. **hypatia-scan.yml**: bumps `erlef/setup-beam` SHA from `2f0cc07b…` to `fc68ffb9…` so `ImageOS=ubuntu24` resolves to `ubuntu-24.04` (matches the pin in hyperpolymath/hypatia upstream). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
…h/hypatia#213) (#61) Mirrors hyperpolymath/hypatia#228 in this consumer repo. ## What was actually broken in `Hypatia Security Scan` The scanner halts with `System.halt(1)` whenever findings exist at or above the severity threshold (`lib/hypatia/cli.ex:158-160` pre-#228). Under GitHub Actions' default `set -e`, that exit-1 short-circuits the workflow step before `jq` aggregation, `actions/upload-artifact`, the PR comment, AND the explicit "Check for critical or high-severity issues" step. The previous `actions/upload-artifact` SHA-bump sweep across the estate (41 PRs) was based on a wrong diagnosis -- the failing runs were not at action-resolve time. See hyperpolymath/hypatia#213 for the full root-cause writeup. ## Changes in this PR - **Pass `GITHUB_TOKEN`** to the scan step env so the Dependabot rule can query alerts (and stops emitting `Warning: Dependabot alerts unavailable: GITHUB_TOKEN not set`). - **Append `--exit-zero`** to the `hypatia-cli.sh scan .` invocation so findings-at-severity no longer short-circuits the step. The downstream "Check for critical or high-severity issues" step (already in this workflow) remains the explicit gate. - **Pin `actions/upload-artifact` to v4.6.2** (`ea165f8d65b6e75b540449e92b4886f43607fa02`) to match the estate-wide pin. ## Notes - `--exit-zero` was added in hyperpolymath/hypatia#228 and is silently ignored by pre-#228 versions of the scanner (OptionParser strict mode places unknown flags in `invalid` and the CLI discards that), so this PR is safe to merge in either order relative to #228. - This change does not affect non-CI usage of the scanner; the default `exit 1` on findings is unchanged for shell / pre-commit users. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Canonical template carried the same estate-wide CI bugs that were just
swept across consumers:
- stale k9/a2ml validate-action pins (fixed false-positives) → bumped to
current main
- `hypatia-scan.yml` `working-directory: \${{ env.HOME }}/hypatia` →
`/home/runner/hypatia`
Fixing the template source so new/regenerated repos don't reintroduce
them. Covers all nested copies (`2` file(s)).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Jonathan D.A. Jewell <67598845+hyperpolymath@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Canonical-template gap (verisimiser#102): add pull-requests:write + Comment-step continue-on-error so the advisory PR-comment never hard-fails the Hypatia check (hypatia#213). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Canonical-template gap (verisimiser#102 cascade). Hard-coded `language: javascript-typescript` made CodeQL exit 'no source / configuration error' on every non-JS/TS repo — a permanent false-red `analyze` on most repos' main. Replace with a `detect` job that reads the repo's actual languages and only analyses CodeQL-supported, buildless-safe ones (rust, javascript-typescript, python, ruby, go); `analyze` is skipped (neutral) when none apply. Updated 1 codeql.yml copies. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Publishing the fix/package-lock-drift branch (2 commit(s) over main) — getting it on track per the 2026-05-16 estate pass. Far-from-main branches may need rebase before merge. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…-wide Mirrors the canonical RSR .gitignore change so v3-templater-generated projects inherit the npm-avoidant + local-only-scaffolding rules. Refs hyperpolymath/standards#67 Refs hyperpolymath/standards#68 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 30 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Js.Json deprecated -- use JSON (1 occurrences)",
"type": "deprecated_api",
"file": "/home/runner/work/v3-templater/v3-templater/src/utils/Escape.res",
"action": "module_replace",
"rule_module": "migration_rules",
"severity": "medium"
},
{
"reason": "Js.Json deprecated -- use JSON (2 occurrences)",
"type": "deprecated_api",
"file": "/home/runner/work/v3-templater/v3-templater/src/Compiler.res",
"action": "module_replace",
"rule_module": "migration_rules",
"severity": "medium"
},
{
"reason": "Js.Json deprecated -- use JSON (6 occurrences)",
"type": "deprecated_api",
"file": "/home/runner/work/v3-templater/v3-templater/src/Runtime.res",
"action": "module_replace",
"rule_module": "migration_rules",
"severity": "medium"
},
{
"reason": "Nominal-only SAST in v3-templater: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/v3-templater/v3-templater",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/unpinned_action -- Hypatia workflow_audit: unpinned_action -- 6 day(s) old",
"type": "CSA001",
"file": "governance.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/missing_workflow -- Hypatia workflow_audit: missing_workflow -- 6 day(s) old",
"type": "CSA001",
"file": "security-policy.yml",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/missing_workflow -- Hypatia workflow_audit: missing_workflow -- 6 day(s) old",
"type": "CSA001",
"file": "quality.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD009 -- Hypatia structural_drift: SD009 -- 7 day(s) old",
"type": "CSA001",
"file": "ffi/zig/src/main.zig",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.