Skip to content

fix(ci): scan-and-report — skip verisimdb dispatch when VERISIMDB_PAT is absent#156

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/scan-dispatch-optional-pat
Jul 7, 2026
Merged

fix(ci): scan-and-report — skip verisimdb dispatch when VERISIMDB_PAT is absent#156
hyperpolymath merged 1 commit into
mainfrom
fix/scan-dispatch-optional-pat

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

VERISIMDB_PAT is declared optional in scan-and-report.yml, but consumers without it fall back to GITHUB_TOKEN — which is scoped to the calling repo and can never fire a repository_dispatch at verisimdb-data. Result: every consumer without the PAT gets a red Security Scan at the dispatch step (bare curl exit 22), even though the scan itself passed. Seen on echidna run 28842498410 immediately after #155 removed the argv overflow that had been masking it.

  • No PAT::notice + skip the dispatch step; the scan result still gates the job.
  • With PAT → capture %{http_code} and print the API response body on rejection, so a real dispatch failure is diagnosable.

Verification

  • actionlint clean.
  • Skip path exercised locally (empty DISPATCH_TOKEN → notice + exit 0).

🤖 Generated with Claude Code

…PAT; surface HTTP status on rejection

VERISIMDB_PAT is declared optional (required: false), but consumers
without it fell through to GITHUB_TOKEN, which can never dispatch to
another repo — so every such consumer's Security Scan went red at the
dispatch step with a bare curl exit 22 (seen on echidna run
28842498410 once the argv overflow from #155 was out of the way).

- No PAT -> notice + skip dispatch; the scan result itself still gates.
- With PAT -> capture and report the HTTP status + response body on
  rejection instead of a silent -f failure.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) July 7, 2026 05:02
@hyperpolymath hyperpolymath merged commit 6693e01 into main Jul 7, 2026
@hyperpolymath hyperpolymath deleted the fix/scan-dispatch-optional-pat branch July 7, 2026 05:02
hyperpolymath added a commit to hyperpolymath/echidna that referenced this pull request Jul 7, 2026
…urity Scan green without VERISIMDB_PAT) (#309)

Follow-up to #307: with the argv overflow gone, Security Scan on main
still failed at the dispatch step (run 28842498410) — echidna carries no
`VERISIMDB_PAT` and the `GITHUB_TOKEN` fallback can never
`repository_dispatch` to `verisimdb-data` (curl exit 22).
hyperpolymath/panic-attack#156 makes the optional secret genuinely
optional (`::notice` + skip) and prints the HTTP status/response on real
rejections. This pins forward to its merge commit `6693e01`.

Note for owner: if the estate wants echidna's scan results flowing into
verisimdb-data again, mint/restore `VERISIMDB_PAT` (part of the
PAT-rotation backlog) — the workflow will then dispatch again
automatically.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant