chore(ci): bump standards reusable pins past #219 governance fix#353
Merged
Conversation
… fix
Two wrappers point at stale SHAs of hyperpolymath/standards reusables:
.github/workflows/governance.yml:34
pinned to 66271d3 (2026-05-22) — predates standards#219 (ad366b6,
2026-05-27) which fixes `governance / Language / package anti-pattern
policy` failing with exit 128. Root cause: governance-reusable.yml
used `ref: ${{ github.workflow_sha }}` for its inner self-checkout,
which in a reusable resolves to the CALLER's SHA, not the reusable
file's SHA, so the fetch asked the standards repo for a SHA that
only exists in hypatia → exit 128 after retries.
.github/workflows/hypatia-scan.yml:28
pinned to 97df762 — orphan SHA on the pre-squash PR branch for #193.
File content identical to the canonical squash-merged 915139d, but
cross-checks and audits (cf. standards#220) prefer pins reachable
on standards/main.
Both bumped to current standards/main HEAD 5eb28d7. Delta picked up on
the governance side:
ad366b6 fix(governance-reusable): pin standards self-checkout to main (#219)
481c496 feat(governance): add check-trusted-base CI enforcement (#211)
0ec0b83 fix(governance): eradicate inline Python from governance-reusable.yml (#189)
3285ac1 fix(baseline): file_pattern glob matching + jq scoping bugs (#180)
431adbb refactor(governance): subsume language-policy.yml + add deno-ci-reusable (#168)
91d8b88 feat: consume .hypatia-baseline.json in governance gate (#166)
43b6563 fix: checkout caller's repo in governance-reusable workflow
Delta on hypatia-scan side: none (reusable file unchanged since #193).
No code changes; only workflow SHA pins.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 2 issues detected
View findings[
{
"reason": "Repository has 16 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
"type": "CSA001",
"file": ".github/workflows/hypatia-scan.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root-cause summary
governance / Language / package anti-pattern policyhas been failing on hypatia/main (and on every open PR) because:.github/workflows/governance.yml:34pinnedgovernance-reusable.yml@66271d3(2026-05-22) — predates hyperpolymath/standards#219 (mergedad366b6, 2026-05-27).workflow_sharesolution bug: in a reusable workflow,github.workflow_sharesolves to the caller's SHA, not the reusable's SHA. The inner self-checkout ofhyperpolymath/standardstherefore asked the standards repo for a SHA that only exists in hypatia →exit 128after 3 retries.This PR bumps both standards-reusable pins past that fix.
Pins changed
.github/workflows/governance.yml:3466271d3...(2026-05-22)5eb28d7d8790d5389b7b6a5233fe6265a775e3d0(standards/main, 2026-05-27).github/workflows/hypatia-scan.yml:2897df762...(orphan SHA on PR-branch for #193)5eb28d7d8790d5389b7b6a5233fe6265a775e3d0(canonical main)Delta picked up (governance side)
7 commits, all fixes / hardening:
ad366b6fix(governance-reusable): pin standards self-checkout to main(refactor(gossamer): tighten loader + multi-channel IPC + smoke harness #219) — the load-bearing fix481c496feat(governance): add check-trusted-base CI enforcement(feat(gossamer): declare Hypatia Binary Star flow/perspective (#197) #211)0ec0b83fix(governance): eradicate inline Python from governance-reusable.yml(chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 #189)3285ac1fix(baseline): file_pattern glob matching + jq scoping bugs(docs+scanners: ReScript retirement sweep #180)431adbbrefactor(governance): subsume language-policy.yml + add deno-ci-reusable(chore(deps): bump libloading from 0.8.9 to 0.9.0 #168)91d8b88feat: consume .hypatia-baseline.json in governance gate(chore(deps): bump the rust-minor group with 4 updates #166)43b6563fix: checkout caller's repo in governance-reusable workflowDelta on hypatia-scan side: none (reusable file unchanged since #193 squash-merge).
Estate implication
This same stale-pin pattern affects every repo whose
governance.ymlwrapper points to a pre-ad366b6SHA ofgovernance-reusable.yml. An estate-wide fan-out bump-PR sweep is the comprehensive remedy (cf. session memory on the doomed-CI pilot). This PR is the per-repo first cut for hypatia.Auto-merge
SQUASH (per estate policy).
🤖 Generated with Claude Code