From 5e6531df5a461a52bfd8666cadbbfeeecc2f3894 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 26 May 2026 23:18:10 +0100
Subject: [PATCH] fix(governance-reusable): pin standards self-checkout to main
 (workflow_sha resolves to caller, not standards)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `Check out standards repo for shared scripts` step in governance-reusable.yml
used `ref: ${{ github.workflow_sha }}`, on the (incorrect) assumption that
`github.workflow_sha` would resolve to the SHA of the reusable workflow YAML
itself. In a reusable-workflow context it actually resolves to the *caller
repo's* commit SHA — so every governance run was issuing:

  git fetch origin <caller-SHA>

inside a clone of hyperpolymath/standards, where that SHA does not exist.
After three retries the checkout fails with exit code 128, and downstream
governance jobs (Language / package anti-pattern policy, etc.) never run.

Symptom across the estate: gossamer#59 governance / Language / package anti-pattern
policy "Failing after ~40s" on every PR, with the underlying log line:

  The process '/usr/bin/git' failed with exit code 128

verified for SHA 67241f8b650db4feb70b5f2d23342c20bae4b0c4 (a gossamer PR-merge
commit, not present in standards). Probing the same SHA in standards directly:

  $ gh api repos/hyperpolymath/standards/commits/67241f8b6...
  No commit found for SHA (HTTP 422)

Fix: pin `ref: main`. Caller repos already pin the reusable workflow YAML by
SHA, so script-version drift is bounded to "whatever's on standards/main when
the reusable resolves" — acceptable since these are read-only governance
checks and standards/main is protected.

Refs: hypatia rule-additions will follow in a separate PR so this can land fast.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/governance-reusable.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml
index d48cb9af..a5284692 100644
--- a/.github/workflows/governance-reusable.yml
+++ b/.github/workflows/governance-reusable.yml
@@ -140,9 +140,14 @@ jobs:
       #
       # Implementation note: a reusable workflow only auto-checks-out its
       # YAML, not sibling files in its repo. So we explicitly check out
-      # this repo at the same ref the caller picked (via
-      # `github.workflow_sha`, the SHA actually loaded by the runner)
-      # into `.standards-checkout/`, then run the script from there.
+      # this repo into `.standards-checkout/`, then run the script from
+      # there. We pin to `main` because `github.workflow_sha` resolves to
+      # the caller repo's commit SHA (not standards'), which makes the
+      # fetch fail with exit 128 ("No commit found for SHA"). Caller
+      # repos already pin the reusable's YAML by SHA, so the bounded
+      # drift is just whatever's on standards/main between the reusable
+      # version and the script version — acceptable since scripts here
+      # are read-only governance checks.
       - name: Set up Deno
         uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3
         with:
@@ -152,7 +157,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: hyperpolymath/standards
-          ref: ${{ github.workflow_sha }}
+          ref: main
           path: .standards-checkout
           # Sparse-checkout only the scripts dir to keep this fast.
           sparse-checkout: |