Skip to content

ci(hypatia-scan): grant actions:read so the reusable can start (the real fix)#42

Merged
hyperpolymath merged 2 commits into
mainfrom
claude/gallant-faraday-LSAGJ
Jun 20, 2026
Merged

ci(hypatia-scan): grant actions:read so the reusable can start (the real fix)#42
hyperpolymath merged 2 commits into
mainfrom
claude/gallant-faraday-LSAGJ

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Confirming the #39 repin: it did not fully fix hypatia-scan — and this is the missing half.

After #39 repinned the reusable to a resolvable SHA (8e6ba7d), eclexia's hypatia-scan stopped failing with 0 jobs and instead began failing as startup_failure (runs 23f5945a, 9d8e05f on main). Root cause: the standards hypatia-scan-reusable.yml declares permissions: including actions: read, but the caller's permissions: block listed only contents/security-events/pull-requests. Specifying any permissions block pins every unlisted scope to none, so the reusable's actions: read request exceeds the grant → the run dies at startup before scheduling jobs.

Fix: add actions: read to the caller. Combined with the resolvable pin from #39, the reusable's full permission contract is now satisfied.

This PR is the canary. Its own hypatia-scan run (on this PR) is the empirical test — if it executes real jobs / goes green, the diagnosis is confirmed and the identical fix applies estate-wide to the other reusable-wrapper repos (Axiom.jl, nextgen-languages, nextgen-typing — all currently 0-jobs-failing at three different stale pins, so each needs repin + actions: read). The 4 inline-scan repos (echo-types, Axiology, Cliodynamics, Cliometrics) don't call the reusable and are unaffected.

🤖 Generated with Claude Code

https://claude.ai/code/session_01PWMMxryCcPrAjJ8tuGvygG

Generated by Claude Code

@claude
ci(hypatia-scan): grant actions:read so the reusable can start
0499213 
The standards hypatia-scan-reusable declares permissions including actions:read. eclexia's caller block omitted it, which pins actions to 'none'; the reusable's request then exceeds the grant and the run dies as startup_failure with 0 jobs (the failure that survived the #39 repin). Adds actions:read to satisfy the reusable's contract.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PWMMxryCcPrAjJ8tuGvygG
@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 102 issues detected

Severity Count
🔴 Critical 11
🟠 High 16
🟡 Medium 75

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Issue in build.yml",
    "type": "missing_timeout_minutes",
    "file": "build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cargo-audit.yml",
    "type": "missing_timeout_minutes",
    "file": "cargo-audit.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cargo-audit.yml",
    "type": "missing_timeout_minutes",
    "file": "cargo-audit.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cflite_batch.yml",
    "type": "missing_timeout_minutes",
    "file": "cflite_batch.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cflite_pr.yml",
    "type": "missing_timeout_minutes",
    "file": "cflite_pr.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dependabot-automerge.yml",
    "type": "missing_timeout_minutes",
    "file": "dependabot-automerge.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "missing_timeout_minutes",
    "file": "instant-sync.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard-enforcer.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard-enforcer.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

This was referenced Jun 20, 2026
Merged
Merged
Merged
@hyperpolymath hyperpolymath marked this pull request as ready for review June 20, 2026 16:53
@hyperpolymath hyperpolymath merged commit bb3856a into main Jun 20, 2026
1 check passed
@hyperpolymath hyperpolymath deleted the claude/gallant-faraday-LSAGJ branch June 20, 2026 16:53
@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 95 issues detected

Severity Count
🔴 Critical 11
🟠 High 14
🟡 Medium 70

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Issue in build.yml",
    "type": "missing_timeout_minutes",
    "file": "build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cargo-audit.yml",
    "type": "missing_timeout_minutes",
    "file": "cargo-audit.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cargo-audit.yml",
    "type": "missing_timeout_minutes",
    "file": "cargo-audit.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cflite_batch.yml",
    "type": "missing_timeout_minutes",
    "file": "cflite_batch.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cflite_pr.yml",
    "type": "missing_timeout_minutes",
    "file": "cflite_pr.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dependabot-automerge.yml",
    "type": "missing_timeout_minutes",
    "file": "dependabot-automerge.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "missing_timeout_minutes",
    "file": "instant-sync.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard-enforcer.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard-enforcer.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude