Finding
A 2026-05-30 estate-wide sweep across `~/developer/repos/*/.github/workflows/scorecard.yml` found 81 of 88 wrappers missing the required job-level permissions block on the `analysis` job.
Per feedback_scorecard_wrapper_caller_permissions memory: GitHub Actions caps called-workflow permissions to the caller's grants. If the caller only declares `permissions: read-all` at workflow level, the reusable's job-level `security-events: write` + `id-token: write` is silently capped — and `ossf/scorecard-action` fails to upload SARIF, surfacing as `startup_failure` ("this run likely failed because of a workflow file issue") with no jobs, no logs.
Canonical example (already correct in standards)
The canonical caller example in `.github/workflows/scorecard-reusable.yml` already documents the correct shape:
```yaml
permissions:
contents: read
jobs:
analysis:
permissions:
security-events: write
id-token: write
uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@
secrets: inherit
```
The 7 wrappers that are correct match this shape. The 81 broken ones predate the canonical update.
Broken wrappers (81)
- ambientops
- anamnesis
- bebop-ffi
- befunge93-vault-cracker
- betlang
- blue-screen-of-app
- bofig
- boinc-boinc
- boj-server
- bunsenite
- burble
- casket-ssg
- cccp
- checky-monkey
- chimichanga
- conative-gating
- conflow
- docudactyl
- echidna
- echo-types
- eclexia
- explicit-trust-plane
- feedback-o-tron
- file-soup
- gitbot-fleet
- hesiod-dns-map
- heterogenous-mobile-computing
- http-capability-gateway
- hybrid-automation-router
- hypatia
- januskey
- laminar
- maa-framework
- modshells
- neurophone
- nextgen-languages
- nextgen-typing
- oblibeny
- odds-and-sods-package-manager
- oikos
- palimpsest-license
- palimpsest-plasma
- panic-attack
- panll
- php-aegis
- phronesis
- polysafe-gitfixer
- pow-the-game
- proof-of-work
- proven
- quandledb
- qubes-sdp
- reasonably-good-token-vault
- refugia
- reposystem
- resource-record-fluctuator
- robodog-ecm
- robot-vacuum-cleaner
- rpa-elysium
- rrecord-verity
- rsr-template-repo
- safe-brute-force
- sanctify-php
- scripts
- seamstress
- session-sentinel
- snapcreate
- snifs
- stapeln
- thejeffparadox
- thunderbird-template-reloaded
- tma-mark2
- tree-navigator
- typed-wasm
- universal-chat-extractor
- universal-language-server-plugin
- universal-project-manager
- verisimdb
- volumod
- voyage-enterprise-decision-system
- wokelang
Recommended fix
Mechanical sweep: insert the 3-line job-level permissions block into each broken wrapper. Identical fix per repo, single-PR per repo (or batched via subagent fan-out paced for rate-limit).
Same scope/pattern as the 54-repo hypatia-scan SHA repin sweep tracked at `docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc` — same template-drift root cause (wrappers landed before the canonical was updated).
Owner decision needed
- (a) Run the 81-wrapper sweep now (~9.5h throttled via background script, parallels CLAUDE.md sweep)
- (b) Defer — known issue, scorecard is advisory, not blocking
- (c) Bundle with the hypatia-scan SHA sweep (54 repos) as one combined "wrapper hygiene" sweep — overlap maximised, single rate-limit window
Refs #287
Finding
A 2026-05-30 estate-wide sweep across `~/developer/repos/*/.github/workflows/scorecard.yml` found 81 of 88 wrappers missing the required job-level permissions block on the `analysis` job.
Per feedback_scorecard_wrapper_caller_permissions memory: GitHub Actions caps called-workflow permissions to the caller's grants. If the caller only declares `permissions: read-all` at workflow level, the reusable's job-level `security-events: write` + `id-token: write` is silently capped — and `ossf/scorecard-action` fails to upload SARIF, surfacing as `startup_failure` ("this run likely failed because of a workflow file issue") with no jobs, no logs.
Canonical example (already correct in standards)
The canonical caller example in `.github/workflows/scorecard-reusable.yml` already documents the correct shape:
```yaml
permissions:
contents: read
jobs:
analysis:
permissions:
security-events: write
id-token: write
uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@
secrets: inherit
```
The 7 wrappers that are correct match this shape. The 81 broken ones predate the canonical update.
Broken wrappers (81)
Recommended fix
Mechanical sweep: insert the 3-line job-level permissions block into each broken wrapper. Identical fix per repo, single-PR per repo (or batched via subagent fan-out paced for rate-limit).
Same scope/pattern as the 54-repo hypatia-scan SHA repin sweep tracked at `docs/audits/audit-hypatia-pin-orphan-2026-05-27.adoc` — same template-drift root cause (wrappers landed before the canonical was updated).
Owner decision needed
Refs #287