Skip to content

ci: fix all four pre-existing workflow failures#73

Merged
hyperpolymath merged 1 commit into
mainfrom
ci/fix-preexisting-failures
Jul 2, 2026
Merged

ci: fix all four pre-existing workflow failures#73
hyperpolymath merged 1 commit into
mainfrom
ci/fix-preexisting-failures

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

All four pre-existing red workflows failed at load time (zero jobs created), so nothing they claim to gate has actually run in weeks:

Workflow Root cause Fix
Secret Scanner Caller grants contents: read only; called reusable's gitleaks job requests pull-requests: write + actions: read — a callee can only narrow the caller's token, never exceed it → startup_failure since the 2026-06-24 repin Caller grants the superset
Scorecards Same class: read-all cannot cover the callee's security-events: write + id-token: write Explicit grant block
Dogfood Gate Inline python3 -c snippet written at column 1 inside a run: | literal block — terminates the block scalar, whole file unparseable (six jobs invisible) Script moved to step env.PYCODE (YAML strips base indent there), invoked as python3 -c "$PYCODE"
Instant Sync secrets context is not available in step-level if: — workflow-file error Secret hoisted to job env, step gated on env; absent secret → clean skip (matches the recorded plan to drop FARM_DISPATCH_TOKEN)

Note for standards: secret-scanner-reusable.yml's comment claims reusable-workflow permission blocks "OVERRIDE the caller's" — it's the reverse, and any wrapper deployed with plain contents: read startup-fails. The estate-wide fix belongs in the standards wrapper template; this PR fixes ochrance's callers.

Validated: actionlint clean across the workflows directory; all four files parse with their expected job sets. Dogfood Gate's six jobs will run for the first time on this PR — watching post-merge for legitimate failures they may surface.

🤖 Generated with Claude Code

Every one of these predates today's work; all four failed at workflow
LOAD time (zero jobs), so nothing they gate has actually run in weeks:

- secret-scanner.yml: caller granted only contents:read but the called
  reusable's gitleaks job requests pull-requests:write + actions:read.
  A called workflow can only narrow the caller's token, never exceed it
  -> startup_failure on every run since the 2026-06-24 repin (#62).
  Caller now grants the superset. (The reusable's comment claiming its
  permissions 'override the caller's' is backwards — flagged for
  standards separately.)
- scorecard.yml: same class — read-all cannot cover the callee's
  security-events:write + id-token:write. Explicit grant block added.
- dogfood-gate.yml: an inline python3 -c snippet was written at column 1
  inside a run:| literal block, terminating the block scalar and making
  the entire file unparseable (path-as-name, zero jobs — all six jobs
  invisible). Script moved to the step's env.PYCODE block scalar (YAML
  strips base indentation there) and invoked as python3 -c "$PYCODE".
- instant-sync.yml: secrets context is not available in step-level if:
  — workflow-file error at load. Secret hoisted to job env and the step
  gated on env.FARM_DISPATCH_TOKEN instead. (When the secret is absent
  the step skips and the job is green, which matches the recorded plan
  to drop FARM_DISPATCH_TOKEN after the credential rebuild.)

Validated: actionlint clean across .github/workflows; all four parse
with the expected job sets.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 6d01e3d into main Jul 2, 2026
31 of 33 checks passed
@hyperpolymath hyperpolymath deleted the ci/fix-preexisting-failures branch July 2, 2026 04:20
hyperpolymath added a commit that referenced this pull request Jul 2, 2026
PR #73 made dogfood-gate.yml parseable for the first time, which let
its six jobs actually run — and two failed on real metadata
nonconformance:

- a2ml-validate: 11 .a2ml files had no identity key. Added
  project = "ochrance" in each file's own dialect ([metadata] blocks,
  top-level for the @abstract contractiles, name = "ochrance" in
  CLADE's [identity]).
- k9-validate: all 6 .k9.ncl pedigree blocks lacked a name field.
  Added name = "<file-stem>" to each.

Verified by running both validators (validate-a2ml.sh / validate-k9.sh
fetched from the pinned action repos) locally against the repo:
0 errors each (8 non-strict a2ml warnings remain).

Note: the contractile files still carry stale 'for rsr-template-repo'
prose — template-scaffold drift, left for the estate-wide
.machine_readable resync (issue #41 umbrella) rather than piecemeal
edits here.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant