Sub-issue of #66 (2026-05-16 sweep findings — surfaced again 2026-05-17 via the burble#35 SARIF PRs).
Symptom
lint / quality job fails at Set up job (before any step runs):
Unable to resolve action `trufflesecurity/trufflehog@7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8`, unable to find version `7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8`
The step has continue-on-error: true, but action resolution happens before the step, so the whole job goes red regardless. This is a hard estate-wide baseline red, not advisory.
Root cause
quality.yml pins trufflesecurity/trufflehog@7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8 # main — i.e. a SHA captured from upstream's moving main branch. Upstream GC'd / rewrote it, so the SHA no longer resolves. Pinning @<sha> # main is itself the anti-pattern: pin to a released tag SHA, never a moving ref's transient SHA.
Canonical home + blast radius (confirmed local clones)
Canonical quality.yml lives in reposystem and v3-templater. Bad SHA 7ee2e0fd… confirmed in:
v3-templater/.github/workflows/quality.yml:19 ( # main)repos/verisimdb/.github/workflows/quality.yml:69 ( # main)repos/ochrance/.github/workflows/secret-scanner.yml:22 ( # v3 — mislabelled, same bad SHA)- (+ every consumer that adopted
quality.yml / secret-scanner.yml)
Fix
- Repin to a real released-tag SHA. Known-good pins already in the estate:
trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3 (deterministic, preferred)- or
…@6c05c4a00b91aa542267d8e32a8254774799d68d # v3
- Apply at canonical (
reposystem + v3-templater quality.yml, and secret-scanner.yml where the same mislabelled pin exists), then consumer sweep per the [drift playbook].
- Add a lint rule / grep guard rejecting
@<sha> # main|master|HEAD pins so this class can't recur (Explicit-Escape / truth-in-pinning).
Refs #66
Sub-issue of #66 (2026-05-16 sweep findings — surfaced again 2026-05-17 via the burble#35 SARIF PRs).
Symptom
lint/qualityjob fails atSet up job(before any step runs):The step has
continue-on-error: true, but action resolution happens before the step, so the whole job goes red regardless. This is a hard estate-wide baseline red, not advisory.Root cause
quality.ymlpinstrufflesecurity/trufflehog@7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8 # main— i.e. a SHA captured from upstream's movingmainbranch. Upstream GC'd / rewrote it, so the SHA no longer resolves. Pinning@<sha> # mainis itself the anti-pattern: pin to a released tag SHA, never a moving ref's transient SHA.Canonical home + blast radius (confirmed local clones)
Canonical
quality.ymllives in reposystem and v3-templater. Bad SHA7ee2e0fd…confirmed in:v3-templater/.github/workflows/quality.yml:19(# main)repos/verisimdb/.github/workflows/quality.yml:69(# main)repos/ochrance/.github/workflows/secret-scanner.yml:22(# v3— mislabelled, same bad SHA)quality.yml/secret-scanner.yml)Fix
trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3(deterministic, preferred)…@6c05c4a00b91aa542267d8e32a8254774799d68d # v3reposystem+v3-templaterquality.yml, andsecret-scanner.ymlwhere the same mislabelled pin exists), then consumer sweep per the [drift playbook].@<sha> # main|master|HEADpins so this class can't recur (Explicit-Escape / truth-in-pinning).Refs #66