Skip to content

fix(ci): replace fake goto-bus-stop/setup-zig SHA pin#19

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/fix-fake-setup-zig-sha
May 30, 2026
Merged

fix(ci): replace fake goto-bus-stop/setup-zig SHA pin#19
hyperpolymath merged 1 commit into
mainfrom
claude/fix-fake-setup-zig-sha

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 30, 2026

Summary

The pin goto-bus-stop/setup-zig@7ab2955eb728f5440978d7b4f723a50dea1f3608 at .github/workflows/e2e.yml:42 is fabricated. gh api repos/goto-bus-stop/setup-zig/commits/7ab2955... → 422 "No commit found for SHA".

The fake SHA's first 16 hex chars collide with v2.2.0's real SHA 7ab2955eb728f5440978d5824358023be3a2802d, but the rest is fabricated — a partial collision that would slip past visual review.

Replaced with verified v2.2.1 pin abea47f85e598557f500fa1fd2ab7464fcb39406.

Provenance

Test plan

  • The setup-zig line uses abea47f85e... (v2.2.1)
  • gh api repos/goto-bus-stop/setup-zig/commits/abea47f85e598557f500fa1fd2ab7464fcb39406 returns 200
  • The e2e workflow's Zig setup step actually resolves on next run

@hyperpolymath
fix(ci): replace fake goto-bus-stop/setup-zig SHA pin
6375df6 
The pin `goto-bus-stop/setup-zig@7ab2955eb728f5440978d7b4f723a50dea1f3608`
at .github/workflows/e2e.yml:42 is fabricated (`gh api repos/goto-bus-stop/
setup-zig/commits/7ab2955... -> 422`). The fake SHA's first 16 hex chars
collide with v2.2.0's real SHA `7ab2955...2802d` but the rest is
fabricated — a partial collision that would have escaped visual review.

Replaced with verified v2.2.1 pin
`abea47f85e598557f500fa1fd2ab7464fcb39406`.

Provenance: propagated from rsr-template-repo#81 (merged); discovered
while wiring CI for snifs (hyperpolymath/snifs#30); 3 of 3 fan-out PRs
alongside odds-and-sods-package-manager#39 and proven#93.
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 30, 2026 13:42
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 30, 2026

🔍 Hypatia Security Scan

Findings: 297 issues detected

Severity Count
🔴 Critical 214
🟠 High 11
🟡 Medium 72

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "unknown",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "unknown",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dependabot-automerge.yml",
    "type": "unknown",
    "file": "dependabot-automerge.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

hyperpolymath added a commit to hyperpolymath/standards that referenced this pull request May 30, 2026
@hyperpolymath
ci: consolidate erlef/setup-beam pins on v1.24.0 (3 workflows) (#289)
4f07382 
## Summary

Standards had two distinct `erlef/setup-beam` SHAs and one wrong version
comment across canonical workflows. Consolidated to
`fc68ffb90438ef2936bbb3251622353b3dcb2f93` (v1.24.0, 2026-03-30) with
correct annotations.

## Before / after

| File | Before | After |
|---|---|---|
| `hypatia-scan.yml` | `fc68ffb...` ` # v1.18.2` (comment wrong; SHA is
actually v1.24.0) | `fc68ffb...` ` # v1.24.0` |
| `hypatia-scan-reusable.yml` | same as above | same fix |
| `elixir-ci-reusable.yml` | `5304e04...` ` # v1.18.2` (stale pin from
2024-09-25) | `fc68ffb...` ` # v1.24.0` |

Both SHAs verified real via `gh api
repos/erlef/setup-beam/commits/<sha>`. Fragmentation likely from
incremental updates that didn't sweep all three files together.

## Why this matters

`elixir-ci-reusable.yml` is the load-bearing change: ~12 estate repos
call it as a wrapper. This PR propagates the v1.18.2 → v1.24.0 upgrade
across the fleet through that single dependency.

## Provenance

Companion to:
- `hyperpolymath/rsr-template-repo#81` (template fakes fixed, merged)
- `hyperpolymath/odds-and-sods-package-manager#39` (downstream)
- `hyperpolymath/proven#93` (downstream, merged)
- `hyperpolymath/proven-servers#19` (downstream)

All fan-out from the SNIFS CI gate work in `hyperpolymath/snifs#30`.

## Test plan

- [ ] All 3 setup-beam pins resolve to `fc68ffb...` with comment `#
v1.24.0`
- [ ] `gh api
repos/erlef/setup-beam/commits/fc68ffb90438ef2936bbb3251622353b3dcb2f93`
returns 200
- [ ] `hypatia-scan` workflow runs green on this PR
- [ ] No downstream repos using elixir-ci-reusable break under v1.24.0
(Elixir/OTP version inputs unchanged)
@hyperpolymath hyperpolymath merged commit 0c28d81 into main May 30, 2026
16 of 19 checks passed
@hyperpolymath hyperpolymath deleted the claude/fix-fake-setup-zig-sha branch May 30, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath