fix(ci): asciidoctor install + re-pin a2ml-validate-action (unblocks #264)#266
Merged
Conversation
Two pre-existing reds blocking #264 (unrelated to its content): - docs-quality.yml: `gem install asciidoctor --version ${{ env.ASCIIDOCTOR_VERSION }}` — ASCIIDOCTOR_VERSION is never defined, so the flag had no argument → Gem::OptionParser:: MissingArgument. Dropped the dangling flag (matches the repo's other asciidoctor install step). - dogfood-gate.yml: re-pinned a2ml-validate-action from the exit-127 commit to f8517bb (broken-comment fix merged upstream as a2ml-validate-action#11). Greens 'Validate A2ML manifests'. Refs #260 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 11 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_workflow",
"file": "mirror.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/hypatia/hypatia/src/abi/RuleEngine.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/hypatia/hypatia/configs/config.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (22 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "as_ptr exposes raw pointer that may dangle or alias unsafely (10 occurrences, CWE-676)",
"type": "as_ptr",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/codeberg.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/radicle.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"line": 35,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/hypatia/hypatia/.hypatia-exemptions.md",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in hypatia",
"type": "DependencyPinning",
"file": "/home/runner/work/hypatia/hypatia",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
The 'Generate Haskell API documentation' step (working-directory: registry, ghc/cabal/haddock for cicd-hyper-a) was template drift from a Haskell repo. hypatia is Elixir/Rust with no registry/ dir, so the step exited 'No such file or directory' on every run — the second pre-existing 'Build AsciiDoc' red. Removed (cut the irrelevant, per #260). Refs #260 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 11 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_workflow",
"file": "mirror.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/hypatia/hypatia/src/abi/RuleEngine.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/hypatia/hypatia/configs/config.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (22 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "as_ptr exposes raw pointer that may dangle or alias unsafely (10 occurrences, CWE-676)",
"type": "as_ptr",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/codeberg.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/radicle.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"line": 35,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/hypatia/hypatia/.hypatia-exemptions.md",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in hypatia",
"type": "DependencyPinning",
"file": "/home/runner/work/hypatia/hypatia",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two pre-existing CI reds on
main(not introduced by #264) — root-caused per the resolve-at-source rule:gem install asciidoctor --version ${{ env.ASCIIDOCTOR_VERSION }}—ASCIIDOCTOR_VERSIONis defined nowhere, so the flag had no value →Gem::OptionParser::MissingArgument. Dropped the dangling flag.a2ml-validate-actionhad a broken multi-line comment → bash raname/project …→ exit 127, failing every commit estate-wide. Fixed at source (a2ml-validate-action#11, merged) and re-pinned here tof8517bb.Shipped as a CI-fix PR separate from the #264 content per workflow convention. Once merged, #264 is rebased and goes green.
Refs #260
🤖 Generated with Claude Code