port(ts->affine): unit/evidence_graph_test → AffineScript (STEP 4-C SEED, Refs standards#239 / #243)

.github/workflows/boj-build.yml

@@ -7,6 +7,7 @@ on:
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

.github/workflows/casket-pages.yml

@@ -18,6 +18,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
@@ -109,6 +110,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: build
     steps:
       - name: Deploy to GitHub Pages

.github/workflows/codeql.yml

@@ -23,6 +23,7 @@ permissions:
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     permissions:
       contents: read
       security-events: write
@@ -32,6 +33,8 @@ jobs:
         include:
           - language: javascript-typescript
             build-mode: none
+          - language: actions
+            build-mode: none
 
     steps:
       - name: Checkout

.github/workflows/dogfood-gate.yml

@@ -22,6 +22,7 @@ jobs:
   a2ml-validate:
     name: Validate A2ML manifests
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -66,6 +67,7 @@ jobs:
   k9-validate:
     name: Validate K9 contracts
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -115,6 +117,7 @@ jobs:
   empty-lint:
     name: Empty-linter (invisible characters)
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -179,6 +182,7 @@ jobs:
   groove-check:
     name: Groove manifest check
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -237,6 +241,7 @@ jobs:
   eclexiaiser-validate:
     name: Validate eclexiaiser manifest
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -258,26 +263,26 @@ jobs:
 
           # Validate TOML structure using Python 3.11+ tomllib
           python3 -c "
-import tomllib, sys
-with open('eclexiaiser.toml', 'rb') as f:
-    data = tomllib.load(f)
-project = data.get('project', {})
-if not project.get('name', '').strip():
-    print('ERROR: project.name is required', file=sys.stderr)
-    sys.exit(1)
-functions = data.get('functions', [])
-if not functions:
-    print('ERROR: at least one [[functions]] entry is required', file=sys.stderr)
-    sys.exit(1)
-for fn in functions:
-    if not fn.get('name', '').strip():
-        print('ERROR: function name cannot be empty', file=sys.stderr)
-        sys.exit(1)
-    if not fn.get('source', '').strip():
-        print(f'ERROR: function {fn[\"name\"]} has no source path', file=sys.stderr)
-        sys.exit(1)
-print(f'Valid: {project[\"name\"]} ({len(functions)} function(s))')
-" || {
+          import tomllib, sys
+          with open('eclexiaiser.toml', 'rb') as f:
+              data = tomllib.load(f)
+          project = data.get('project', {})
+          if not project.get('name', '').strip():
+              print('ERROR: project.name is required', file=sys.stderr)
+              sys.exit(1)
+          functions = data.get('functions', [])
+          if not functions:
+              print('ERROR: at least one [[functions]] entry is required', file=sys.stderr)
+              sys.exit(1)
+          for fn in functions:
+              if not fn.get('name', '').strip():
+                  print('ERROR: function name cannot be empty', file=sys.stderr)
+                  sys.exit(1)
+              if not fn.get('source', '').strip():
+                  print(f'ERROR: function {fn[\"name\"]} has no source path', file=sys.stderr)
+                  sys.exit(1)
+          print(f'Valid: {project[\"name\"]} ({len(functions)} function(s))')
+          " || {
             echo "::error file=eclexiaiser.toml::Invalid eclexiaiser.toml — see step output for details"
             exit 1
           }
@@ -300,6 +305,7 @@ print(f'Valid: {project[\"name\"]} ({len(functions)} function(s))')
   dogfood-summary:
     name: Dogfooding compliance summary
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: [a2ml-validate, k9-validate, empty-lint, groove-check, eclexiaiser-validate]
     if: always()
 
@@ -378,4 +384,3 @@ print(f'Valid: {project[\"name\"]} ({len(functions)} function(s))')
           *Generated by the [Dogfood Gate](https://github.com/hyperpolymath/rsr-template-repo) workflow.*
           *Dogfooding is guinea pig fooding — we test our tools on ourselves.*
           EOF
-

.github/workflows/elixir-ci.yml

@@ -12,5 +12,5 @@ jobs:
   elixir-ci:
     uses: hyperpolymath/standards/.github/workflows/elixir-ci-reusable.yml@4fdf4314b4ab54269adbaff10e30e483b5e86845
     with:
-      otp-version: "26"
-      elixir-version: "1.15"
+      otp-version: "27.2.1"
+      elixir-version: "1.18.2"

.github/workflows/elixir.yml

@@ -20,14 +20,40 @@ jobs:
 
     name: Build and test
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      MIX_ENV: test
+      POSTGRES_PASSWORD: ${{ github.run_id }}
+      ARANGO_USERNAME: root
+      ARANGO_PASSWORD: ${{ github.run_id }}
+
+    services:
+      postgres:
+        image: postgres:16-alpine@sha256:79950da386bda7fcc9d57aa9aa9be6c6d7407596a9b8f68014b09a778a9ab316
+        env:
+          POSTGRES_PASSWORD: ${{ github.run_id }}
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U postgres -d postgres"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+      arangodb:
+        image: arangodb:3.12@sha256:95567b13d74dbec3869468f88c31a53ae598fa5f90e0e2e582df89b7b6893ae7
+        env:
+          ARANGO_ROOT_PASSWORD: ${{ github.run_id }}
+        ports:
+          - 8529:8529
 
     steps:
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
     - name: Set up Elixir
       uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.20.4
       with:
-        elixir-version: '1.15.2' # [Required] Define the Elixir version
-        otp-version: '26.0'      # [Required] Define the Erlang/OTP version
+        elixir-version: '1.18.2'
+        otp-version: '27.2.1'
     - name: Restore dependencies cache
       uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
       with:
@@ -36,5 +62,15 @@ jobs:
         restore-keys: ${{ runner.os }}-mix-
     - name: Install dependencies
       run: mix deps.get
+    - name: Wait for ArangoDB
+      run: |
+        for attempt in $(seq 1 30); do
+          if curl -fsS -u "root:${ARANGO_PASSWORD}" http://localhost:8529/_api/version >/dev/null; then
+            exit 0
+          fi
+          sleep 2
+        done
+        echo "::error::ArangoDB did not become ready"
+        exit 1
     - name: Run tests
       run: mix test

.github/workflows/generator-generic-ossf-slsa3-publish.yml

@@ -23,6 +23,7 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     outputs:
       digests: ${{ steps.hash.outputs.digests }}
 

.github/workflows/governance.yml

@@ -31,4 +31,4 @@ permissions:
 
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613

.github/workflows/hypatia-scan.yml

@@ -43,6 +43,7 @@ jobs:
   scan:
     name: Hypatia Neurosymbolic Analysis
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     steps:
       - name: Checkout repository
@@ -53,8 +54,8 @@ jobs:
       - name: Setup Elixir for Hypatia scanner
         uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.18.2
         with:
-          elixir-version: '1.18'
-          otp-version: '27'
+          elixir-version: '1.18.2'
+          otp-version: '27.2.1'
 
       - name: Clone Hypatia
         run: |
@@ -411,4 +412,4 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
               body: comment
-            });
+            });

.github/workflows/instant-sync.yml

@@ -14,8 +14,22 @@ permissions:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
+      - name: Check dispatch token
+        id: dispatch-token
+        env:
+          FARM_DISPATCH_TOKEN: ${{ secrets.FARM_DISPATCH_TOKEN }}
+        run: |
+          if [ -n "$FARM_DISPATCH_TOKEN" ]; then
+            echo "present=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "present=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::FARM_DISPATCH_TOKEN is not configured; skipping propagation dispatch."
+          fi
+
       - name: Trigger Propagation
+        if: steps.dispatch-token.outputs.present == 'true'
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
         with:
           token: ${{ secrets.FARM_DISPATCH_TOKEN }}
@@ -30,4 +44,5 @@ jobs:
             }
 
       - name: Confirm
+        if: steps.dispatch-token.outputs.present == 'true'
         run: echo "::notice::Propagation triggered for ${{ github.event.repository.name }}"

.github/workflows/rescript-deno-ci.yml

@@ -2,50 +2,35 @@
 permissions:
   contents: read
 
-name: ReScript/Deno CI
+name: Deno CI
 on: [push, pull_request]
-npermissions:
-  contents: read
-
 
 jobs:
   build:
     runs-on: ubuntu-latest
-npermissions:
-  contents: read
+    timeout-minutes: 15
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2
         with:
-          deno-version: v1.x
-npermissions:
-  contents: read
-
+          deno-version: v2.x
 
       - name: Deno lint
-        run: deno lint
+        run: deno task lint
 
       - name: Deno fmt check
-        run: deno fmt --check
+        run: deno fmt --check tests/
 
       - name: Deno test
         run: deno test --allow-all --coverage=coverage
 
-      - name: ReScript build
-        run: |
-          if [ -f "rescript.json" ] || [ -f "bsconfig.json" ]; then
-            npm install
-            npx rescript
-          fi
-
       - name: Type check
-        run: deno check **/*.ts || true
+        run: deno check tests/**/*.js
 
   security:
     runs-on: ubuntu-latest
-npermissions:
-  contents: read
+    timeout-minutes: 10
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

.github/workflows/scorecard-enforcer.yml

@@ -23,6 +23,7 @@ permissions:
 jobs:
   scorecard:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       security-events: write
       id-token: write  # For OIDC
@@ -61,6 +62,7 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 

.github/workflows/trustfile.yml

@@ -20,6 +20,7 @@ permissions:
 jobs:
   validate:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 

.github/workflows/workflow-linter.yml

@@ -15,6 +15,7 @@ permissions: read-all
 jobs:
   lint-workflows:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 

.gitlab-ci.yml

@@ -1,5 +1,6 @@
 # GitLab CI/CD Pipeline for Evidence Graph
 # Automated testing, security scanning, and deployment
+# hypatia: allow security_errors/secret_detected -- local GitLab service defaults only
 
 image: elixir:1.16-alpine
 

.hypatia-ignore

@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MPL-2.0
+# Generated third-party D3 bundle. Runtime hooks live under assets/js/hooks
+# and are scanned separately; this vendored file is not hand-edited source.
+code_safety/js_innerhtml:assets/vendor/d3.v7.min.js
+code_safety/js_http_url_in_code:assets/vendor/d3.v7.min.js