feat(governance): add scorecard-reusable.yml — close 5-candidate convergence set#205
Open
hyperpolymath wants to merge 1 commit into
Open
feat(governance): add scorecard-reusable.yml — close 5-candidate convergence set#205hyperpolymath wants to merge 1 commit into
hyperpolymath wants to merge 1 commit into
Conversation
…ergence set
Consolidates 258 top-level estate deployments + 626 nested copies of
scorecard.yml into one reusable workflow.
Drift signal:
- 258 top-level / 46 unique blob SHAs / 17.8% structural drift
- Top SHA covers 100/258 (38.8%); top 7 cover ~80%
- 100% of drift is MECHANICAL — SPDX header lag, action SHA-pin
drift, permissions wording — ZERO feature variance across all 46
blob SHAs
Design:
- One input: `runs-on` (default ubuntu-latest)
- No `secrets: inherit` needed — uses GITHUB_TOKEN directly
- Caller MUST grant `security-events: write` + `id-token: write`
on the calling job (capped by caller per GitHub Actions semantics)
This closes the workflow convergence campaign 5-candidate set (#187
mirror, #190 secret-scanner, #192 codeql, #193 hypatia-scan, #194
classifier tooling, #199 campaign meta-doc, #204 list-workflow-paths
helper, this PR).
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
Walked the Git Tree API for all 5 templates via list-workflow-paths.sh from #204. Findings: - Top-level path-filtered queries were 1-35% undercounted across all 5 templates (worst: hypatia-scan 255 -> 344, +89 / 35%). - Nested-copy counts were 100%+ undercounted for mirror.yml (133 reported -> 335 true). - hypatia-scan top-level has only 3 unique blob SHAs across 344 sites -> 0.9% drift on the executing surface (vs the 11.8% drift the PR body reports for top-level+nested). Replaced the 'Corrected estate counts' section with three tables: helper-validated totals, top-level-only drift, and initial-survey undercount summary. Added LOC retirement table: ~275k LOC top-level across the 5 reusables, ~732k including nested copies. Updated Layer 2 documentation to note path-filtered queries are ALSO truncated (previously the doc only said broad queries were). Updated Standing follow-ups: marked the per-(repo,path) classifier ingestion DONE (shipped in #204); removed the 'file scorecard' item (filed as #205); added quarterly re-run suggestion.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
5th and final reusable in the workflow convergence campaign (see #199 for the meta-doc). Consolidates the per-repo
scorecard.ymlworkflow.Drift signal (full pagination + per-repo verified)
upload-sarifSHA-pin churn,permissions: read-allvscontents: readwordingDesign
runs-on(default ubuntu-latest)secrets: inherit— Scorecard usesGITHUB_TOKENdirectlysecurity-events: write+id-token: writeon the calling job (called-workflow permissions are capped by caller)on:triggers +concurrency:groupPer Layer-3 caveat from the campaign meta-doc
Nested workflows are inert — GitHub Actions only runs
.github/workflows/at the repo root. Sweeping the 626 nested copies is single-source-of-truth cleanup, not security hardening.Campaign convergence set (closes with this PR)
Test plan
🤖 Generated with Claude Code