From 37778fdea1cbc2ca6d8f18d66d49dc82109b5e76 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 3 Jun 2026 23:20:45 +0000
Subject: [PATCH] ci(workflows): presence-gate mirror SSH steps + correct
 registry-verify licence
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- mirror-reusable.yml: gate each forge's webfactory/ssh-agent step AND its push step on secrets.<FORGE>_SSH_KEY != '' (matching the existing Radicle pattern). Resolves Hypatia secret_action_without_presence_gate (high) and makes an enabled-but-keyless mirror a clean no-op rather than a hard failure.

- registry-verify.yml: SPDX AGPL-3.0-or-later -> MPL-2.0 (owner-directed; aligns with its 27 sibling workflows; clears Hypatia agpl_license).

Note: scorecard_publish_with_run_step on scorecard-enforcer.yml is a Hypatia false positive — the publish job is already uses-only with the threshold check split into a downstream check-score job.

https://claude.ai/code/session_01AmPXB2dA2wCcabo8BXwS28
---
 .github/workflows/mirror-reusable.yml | 12 ++++++++++++
 .github/workflows/registry-verify.yml |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/mirror-reusable.yml b/.github/workflows/mirror-reusable.yml
index 02370c9b..e143be46 100644
--- a/.github/workflows/mirror-reusable.yml
+++ b/.github/workflows/mirror-reusable.yml
@@ -56,9 +56,11 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.GITLAB_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.GITLAB_SSH_KEY }}
       - name: Mirror to GitLab
+        if: ${{ secrets.GITLAB_SSH_KEY != '' }}
         # continue-on-error: GitLab branch protection on the mirror repo may block
         # force-push even for a deploy key. Owner action required: in GitLab go to
         # Settings → Repository → Protected branches → main and either allow force-push
@@ -79,9 +81,11 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.BITBUCKET_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.BITBUCKET_SSH_KEY }}
       - name: Mirror to Bitbucket
+        if: ${{ secrets.BITBUCKET_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 bitbucket.org >> ~/.ssh/known_hosts
           git remote add bitbucket git@bitbucket.org:hyperpolymath/${{ github.event.repository.name }}.git || true
@@ -96,9 +100,11 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.CODEBERG_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.CODEBERG_SSH_KEY }}
       - name: Mirror to Codeberg
+        if: ${{ secrets.CODEBERG_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 codeberg.org >> ~/.ssh/known_hosts
           git remote add codeberg git@codeberg.org:hyperpolymath/${{ github.event.repository.name }}.git || true
@@ -113,9 +119,11 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.SOURCEHUT_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.SOURCEHUT_SSH_KEY }}
       - name: Mirror to SourceHut
+        if: ${{ secrets.SOURCEHUT_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 git.sr.ht >> ~/.ssh/known_hosts
           git remote add sourcehut git@git.sr.ht:~hyperpolymath/${{ github.event.repository.name }} || true
@@ -130,9 +138,11 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.DISROOT_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.DISROOT_SSH_KEY }}
       - name: Mirror to Disroot
+        if: ${{ secrets.DISROOT_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 git.disroot.org >> ~/.ssh/known_hosts
           git remote add disroot git@git.disroot.org:hyperpolymath/${{ github.event.repository.name }}.git || true
@@ -147,9 +157,11 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.GITEA_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.GITEA_SSH_KEY }}
       - name: Mirror to Gitea
+        if: ${{ secrets.GITEA_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 ${{ vars.GITEA_HOST }} >> ~/.ssh/known_hosts
           git remote add gitea git@${{ vars.GITEA_HOST }}:hyperpolymath/${{ github.event.repository.name }}.git || true
diff --git a/.github/workflows/registry-verify.yml b/.github/workflows/registry-verify.yml
index cd693c04..0fd7c7b1 100644
--- a/.github/workflows/registry-verify.yml
+++ b/.github/workflows/registry-verify.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # registry-verify — fail the build if the spec registry or the DERIVED
 # topology map has drifted from the file tree. This is the in-repo half of
 # the drift-detection loop (the estate half is Hypatia rule HYP-S006).