Skip to content

chore(ci): bump standards reusable workflow pins#62

Merged
hyperpolymath merged 1 commit into
mainfrom
chore/bump-standards-pins-2026-06-24
Jun 24, 2026
Merged

chore(ci): bump standards reusable workflow pins#62
hyperpolymath merged 1 commit into
mainfrom
chore/bump-standards-pins-2026-06-24

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Bumps stale hyperpolymath/standards/.github/workflows/*-reusable.yml pins to current standards HEAD (d135b05bfc647d0c0fbfedc7e80f37ea50f49236) to clear governance 'Check Workflow Staleness' (ADR-003) failures. CI-pin changes only.

OWNER-AUTHORIZED estate pin-bump campaign 2026-06-24.

🤖 Generated with Claude Code

Bump stale hyperpolymath/standards reusable workflow pins to current
standards HEAD (d135b05bfc647d0c0fbfedc7e80f37ea50f49236) to clear governance 'Check Workflow
Staleness' (ADR-003) failures.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 97715e9 into main Jun 24, 2026
1 check passed
@hyperpolymath hyperpolymath deleted the chore/bump-standards-pins-2026-06-24 branch June 24, 2026 14:40
hyperpolymath added a commit that referenced this pull request Jul 2, 2026
Every one of these predates today's work; all four failed at workflow
LOAD time (zero jobs), so nothing they gate has actually run in weeks:

- secret-scanner.yml: caller granted only contents:read but the called
  reusable's gitleaks job requests pull-requests:write + actions:read.
  A called workflow can only narrow the caller's token, never exceed it
  -> startup_failure on every run since the 2026-06-24 repin (#62).
  Caller now grants the superset. (The reusable's comment claiming its
  permissions 'override the caller's' is backwards — flagged for
  standards separately.)
- scorecard.yml: same class — read-all cannot cover the callee's
  security-events:write + id-token:write. Explicit grant block added.
- dogfood-gate.yml: an inline python3 -c snippet was written at column 1
  inside a run:| literal block, terminating the block scalar and making
  the entire file unparseable (path-as-name, zero jobs — all six jobs
  invisible). Script moved to the step's env.PYCODE block scalar (YAML
  strips base indentation there) and invoked as python3 -c "$PYCODE".
- instant-sync.yml: secrets context is not available in step-level if:
  — workflow-file error at load. Secret hoisted to job env and the step
  gated on env.FARM_DISPATCH_TOKEN instead. (When the secret is absent
  the step skips and the job is green, which matches the recorded plan
  to drop FARM_DISPATCH_TOKEN after the credential rebuild.)

Validated: actionlint clean across .github/workflows; all four parse
with the expected job sets.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant