Skip to content

fix(ci): sweep fake action SHA pins from e2e.yml template stubs#20

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/fix-template-fake-shas
May 30, 2026
Merged

fix(ci): sweep fake action SHA pins from e2e.yml template stubs#20
hyperpolymath merged 1 commit into
mainfrom
claude/fix-template-fake-shas

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 30, 2026

Summary

Sweeps fake action SHA pins inherited from the rsr-template-repo e2e.yml template. All 4 fake SHAs in this file were template comment stubs (inert until uncommented), but the same pattern propagated to ~20 repos across the estate via the RSR copy-and-customise flow.

Replaced

Action Fake SHA Real SHA Tag
goto-bus-stop/setup-zig 7ab2955...3608 (partial collision with v2.2.0) abea47f85e598557f500fa1fd2ab7464fcb39406 v2.2.1
erlef/setup-beam 5a67e1a...a66c07 fc68ffb90438ef2936bbb3251622353b3dcb2f93 v1.24.0
denoland/setup-deno 5fae568...c3497 667a34cdef165d8d2b2e98dde39547c9daac7282 v2.0.4
haskell-actions/setup dd344bc...3a40fce cd0d9bdd65b20557f41bea4dbe43d0b5fbbfe553 v2.11.0

All real SHAs verified via gh api repos/<org>/<action>/commits/<sha>.

Provenance

  • Discovered: wiring CI for hyperpolymath/snifs#30
  • Template source fixed: hyperpolymath/rsr-template-repo#81 (merged)
  • Standards consolidation: hyperpolymath/standards#289 (in flight)
  • Per-repo fan-out: this PR is part of the sweep across affected estate repos

Test plan

  • Diff shows only template-comment SHA substitutions (no functional change in this repo since the lines were already commented)
  • If anyone later uncomments a template stub, the action resolves instead of 422'ing

@hyperpolymath
fix(ci): replace fake action SHA pins in e2e.yml template stubs
a82960f 
This file inherits its e2e.yml from the rsr-template-repo template, which
carried 4 fabricated action SHA pins in template-comment stubs. The pins
were inert in commented form here, but would have 422'd at action
resolution if anyone uncommented them. Caught and fixed at the template
source in hyperpolymath/rsr-template-repo#81 (merged); this PR sweeps
the propagated stubs.

  goto-bus-stop/setup-zig  7ab2955...3608  -> abea47f...39406  (v2.2.1)
  erlef/setup-beam         5a67e1a...a66c07 -> fc68ffb...db2f93 (v1.24.0)
  denoland/setup-deno      5fae568...c3497 -> 667a34c...c7282  (v2.0.4)
  haskell-actions/setup    dd344bc...3a40fce -> cd0d9bd...e0553 (v2.11.0)

All four real SHAs verified via `gh api repos/<org>/<action>/commits/<sha>`.

Originally discovered while wiring CI for hyperpolymath/snifs#30.
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 30, 2026 14:52
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 30, 2026

🔍 Hypatia Security Scan

Findings: 102 issues detected

Severity Count
🔴 Critical 12
🟠 High 27
🟡 Medium 63

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "unknown",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "unknown",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dependabot-automerge.yml",
    "type": "unknown",
    "file": "dependabot-automerge.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in governance.yml",
    "type": "unknown",
    "file": "governance.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 4db81a7 into main May 30, 2026
18 of 23 checks passed
@hyperpolymath hyperpolymath deleted the claude/fix-template-fake-shas branch May 30, 2026 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath