Skip to content

ci(language-policy): drop SaltStack Python carveout (closes reposystem#32)#316

Merged
hyperpolymath merged 1 commit into
mainfrom
cicd/drop-saltstack-python-carveout
May 30, 2026
Merged

ci(language-policy): drop SaltStack Python carveout (closes reposystem#32)#316
hyperpolymath merged 1 commit into
mainfrom
cicd/drop-saltstack-python-carveout

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 30, 2026

Summary

  • Removes the SaltStack Python exception from governance-reusable.yml (RSR antipattern check + summary banner) and 4× language-policy.yml (rhodium-standard-repositories root, consent-aware-http, +2 satellites).
  • Estate-wide rule: Python is fully banned, no exceptions (removed 2026-01-03; canonical .claude/CLAUDE.md already reflects this).
  • Infrastructure now uses Terraform + Ansible — neither needs first-party Python, so no replacement exemption.

Test plan

  • Existing repos with no `.py` files: language policy still passes (no behavioural change).
  • A hypothetical new `*.py` file (regardless of `salt`/`_states`/`_modules`/`pillar` in path) is now blocked.
  • Estate-wide reusable callers (governance-reusable consumers) pick up the corrected enforce-message.

Closes

🤖 Generated with Claude Code

@hyperpolymath @claude
ci(language-policy): drop SaltStack Python carveout (closes reposyste…
dac39d1 
…m#32)

Discharges hyperpolymath/reposystem#32. The SaltStack Python exception was
removed estate-wide on 2026-01-03 (canonical .claude/CLAUDE.md already
reflects this), but five workflow files still encoded the legacy carveout:

- .github/workflows/governance-reusable.yml — the RSR antipattern check
  (`grep -v salt | grep -v _states | grep -v _modules | grep -v pillar`)
  + the "only allowed for SaltStack" enforce-message + the trailing
  "SaltStack (Python)" line in the summary banner.
- 4× language-policy.yml (rhodium-standard-repositories root,
  consent-aware-http, +2 satellites) — the `| grep -v 'salt'` filter
  on new .py files and the "(except SaltStack)" comment.

Infrastructure moved to Terraform + Ansible; neither needs first-party
Python so no replacement exemption is required.

Closes hyperpolymath/reposystem#32

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 30, 2026 20:49
@hyperpolymath hyperpolymath merged commit 78ab5c5 into main May 30, 2026
9 of 18 checks passed
@hyperpolymath hyperpolymath deleted the cicd/drop-saltstack-python-carveout branch May 30, 2026 22:39
@hyperpolymath hyperpolymath mentioned this pull request May 30, 2026
Closed
3 tasks
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

🔍 Hypatia Security Scan

Findings: 191 issues detected

Severity Count
🔴 Critical 64
🟠 High 37
🟡 Medium 90

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in affinescript-verify.yml",
    "type": "missing_timeout_minutes",
    "file": "affinescript-verify.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "missing_timeout_minutes",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in changelog-reusable.yml",
    "type": "missing_timeout_minutes",
    "file": "changelog-reusable.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql-reusable.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql-reusable.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in deno-ci-reusable.yml",
    "type": "missing_timeout_minutes",
    "file": "deno-ci-reusable.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in doc-format.yml",
    "type": "missing_timeout_minutes",
    "file": "doc-format.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath