feat(rules): WF014/WF015/WF016 — detect 3 estate-wide CI failure patterns#393
Merged
Merged
Conversation
…erns Add three workflow-audit rules surfaced by the 2026-05-30 estate CI/CD audit. All three were directly responsible for in-flight red-PR backlogs that needed root-cause fixes this session. ## WF014: scorecard_publish_with_run_step Fires when a workflow job contains `uses: ossf/scorecard-action` + `publish_results: true` + at least one `run:` step in the same job. OSSF's publish endpoint enforces "scorecard job must only have steps with uses" — co-locating any threshold gate fails publishing and the whole run. 49 estate repos affected. Fix recipe: split into two jobs (`scorecard` uses-only + `check-score` needs: scorecard). Template fix landed in hyperpolymath/standards#XXX. ## WF015: nonroot_container_checkout_eacces Fires when a job's `container.image:` is on the well-known non-root-user list (coqorg/coq, leanprover/lean4, makarius/ isabelle, haskell:, rocker/r-, jekyll/jekyll) AND uses `actions/checkout` AND lacks `container.options: --user root`. Root cause: `actions/checkout`'s post-step writes save_state files to `/__w/_temp/_runner_file_commands` as the runner host user; non-root container users can't write there, EACCES kills the job before any user step runs. Caught ephapax `coq-build.yml` — the merge-oracle workflow itself couldn't run, defeating the formal/ hard-gate guarantee. ## WF016: orphan_reusable_sha_pin Data-driven rule. Detects `uses: hyperpolymath/standards/.github/ workflows/<name>-reusable.yml@<orphan_sha>` where the SHA is on the maintained orphan-SHA list. Orphan SHAs are commits removed from main (force-push, GC); GitHub's read-only API still resolves the blob (cache-friendly), so code-review tooling does not catch this, but workflow_call refuses orphans at run-time. Caught 178 estate repos on the audit (95 hypatia-scan-reusable + 83 rust-ci-reusable). Audit reference in standards repo: `docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc`. ## Sensitivity / specificity All three rules smoke-tested on positive + negative cases: - WF014: fires on pre-fix scorecard-enforcer (1 finding), does NOT fire on the publish-free reusable scorecard.yml (0). - WF015: fires on `coqorg/coq` w/o `--user root` (1), does NOT fire on the same with `--user root` (0), does NOT fire on generic `ubuntu:22.04` (0 — root by default). - WF016: fires on `@97df7621` (1, orphan), does NOT fire on `@915139d7...` (0, current live SHA). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 30, 2026
hyperpolymath
added a commit
to hyperpolymath/ephapax
that referenced
this pull request
May 30, 2026
## Summary `.github/workflows/rust-ci.yml` pinned `hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@4fdf4314` — an orphan SHA (not reachable from `standards/main`). Read-only Contents API still resolves the blob (cached), so code-review does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHA `cc5a372af1af1b202c17f1b21efd954e6c038bef` (#299, the latest commit touching the reusable). ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, added hyperpolymath/hypatia#393) ## Estate-wide impact This is one of ~83 repos pinning this orphan rust-ci-reusable SHA. Parallel pattern: ~95 repos pinning orphan hypatia-scan-reusable SHA `@97df7621` → `@915139d7`. Combined ~178-repo fan-out tracked under hyperpolymath/standards#282 (or a follow-up issue). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 30, 2026
hyperpolymath
added a commit
to hyperpolymath/vcs-ircd
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/heterogenous-mobile-computing
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/cloudguard-cli
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/lcb-website
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/manifesto
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/anvomidav
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/network-dashboard
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/file-soup
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/Exnovation.jl
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/dafniser
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/docmatrix
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/palimpsest-license
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/nimiser
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/lucidscript
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/pseudoscript
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/tropical-resource-typing
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/tentacles-agentic-syllabus
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/a2ml-rs
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/ipv6-site-enforcer
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/vcl-ut
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/gitbot-fleet
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/snapcreate
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/kaldor-iiot
that referenced
this pull request
May 30, 2026
## Summary The workflow(s) in this repo pinned `hyperpolymath/standards` reusable workflow(s) at orphan SHAs — commits no longer reachable from `standards/main`. The Contents API resolves the blob (cached lookup), so code-review tooling does not catch this, but `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. ## Fix Re-pin to the reachable merge-commit SHAs: - `hypatia-scan-reusable.yml@97df7621` → `@915139d73560e65a8240b8fc7768698658502c89` - `rust-ci-reusable.yml@4fdf4314` → `@cc5a372af1af1b202c17f1b21efd954e6c038bef` (only the reusables actually pinned in this repo are touched) ## Reference - Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc - Detector: hypatia rule WF016 (`Hypatia.Rules.WorkflowAudit.check_orphan_standards_reusable_pin`, hyperpolymath/hypatia#393) ## Estate-wide context One of ~167 affected repos. Caught by the 2026-05-30 estate CI/CD audit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/claude-gecko-browser-extension
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/echidnabot
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/iseriser
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/ffmpeg-ffi
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/alloyiser
that referenced
this pull request
May 30, 2026
The caller workflow(s) pinned hyperpolymath/standards reusable workflow(s) at orphan SHAs no longer reachable from `standards/main`. Read-only Contents API resolves the blob (cached), so code-review tooling does not catch this; `workflow_call` at run-time refuses orphan SHAs and emits "workflow file issue" with zero jobs created. Replacements: hypatia-scan-reusable.yml: @97df7621... → @915139d73560e65a8240b8fc7768698658502c89 rust-ci-reusable.yml: @4fdf4314... → @cc5a372af1af1b202c17f1b21efd954e6c038bef Audit: hyperpolymath/standards/docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc Detector: hypatia rule WF016 (hyperpolymath/hypatia#393) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "Action urin 21 JRE\n uses: actions/setup-java@be666c2fcd27 needs attention",
"type": "unpinned_action",
"file": "verify-proofs.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in clusterfuzzlite.yml",
"type": "missing_timeout_minutes",
"file": "clusterfuzzlite.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three new
workflow_auditrules surface estate CI/CD bugs that the 2026-05-30 audit caught actively breaking PRs.Rules added
WF014:
scorecard_publish_with_run_step(high)Fires when a job has
uses: ossf/scorecard-action+publish_results: true+ arun:step. OSSF's publish endpoint enforces "scorecard job must only have steps with uses".49 estate repos affected. Fix recipe: split into two jobs. Template fix in companion hyperpolymath/standards PR.
WF015:
nonroot_container_checkout_eacces(critical)Fires when
container.image:is on the non-root-default list (coqorg/coq,leanprover/lean4,makarius/isabelle,haskell:,rocker/r-,jekyll/jekyll) +actions/checkout+ nooptions: --user root.Root cause:
actions/checkout's post-step writes save_state files to/__w/_temp/_runner_file_commandsas the runner host user; non-root container users can't write there, EACCES kills the job.Caught ephapax
coq-build.yml— merge-oracle couldn't run, defeating theformal/hard-gate guarantee.WF016:
orphan_reusable_sha_pin(critical)Data-driven. Detects
uses: hyperpolymath/standards/.github/workflows/<name>-reusable.yml@<orphan_sha>where the SHA is on the maintained orphan list. Orphan SHAs resolve via read-only API butworkflow_callrefuses them at run-time.178 estate repos affected (95 hypatia-scan + 83 rust-ci).
Sensitivity / specificity smoke tests
publish_results:true+run:)uses:-only, no publish)coqorg/coq:8.18without--user rootcoqorg/coq:8.18WITH--user rootubuntu:22.04(root by default)@97df7621(orphan)@915139d7...(live)Why three rules in one PR
All three came from the same audit batch, share the same module (
WorkflowAudit), pass identical smoke-test patterns, and the audit function's findings concatenation needed a single edit. Splitting into 3 PRs would create churn without separability.🤖 Generated with Claude Code