From a3dfe92bb9f078d8f9e86357e11b32bad0bc2da6 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sun, 24 May 2026 20:14:46 +0100
Subject: [PATCH] fix: checkout caller's repo in governance-reusable workflow

All 6 governance jobs now check out the caller's repository instead of
the standards repo by default. This allows .hypatia-ignore and other
caller-specific files to be found during governance checks.

Fixes gitbot-fleet#198 governance/language-policy failures where
.hypatia-ignore exemptions were not being honored.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
---
 .github/workflows/governance-reusable.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml
index a85c64b..394ea52 100644
--- a/.github/workflows/governance-reusable.yml
+++ b/.github/workflows/governance-reusable.yml
@@ -44,6 +44,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
 
       - name: Check for TypeScript
         run: |
@@ -252,6 +255,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
       - name: Enforce Guix primary / Nix fallback
         run: |
           HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1)
@@ -276,6 +282,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
       - name: Security checks
         run: |
           FAILED=false
@@ -359,6 +368,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
       - name: Check file permissions
         run: |
           find . -type f -perm /111 -name "*.sh" | head -10 || true
@@ -404,6 +416,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
       - name: RFC 9116 security.txt validation
         run: |
           SECTXT=""
@@ -458,6 +473,9 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
       - name: Check SPDX headers + permissions
         run: |
           failed=0