fix(ci): pass GITHUB_TOKEN to Hypatia scanner in reusable workflow#429
Merged
Conversation
The reusable scan workflow never set GITHUB_TOKEN in the "Run Hypatia scan" step, so the scanner's Dependabot / code-scanning / secret-scanning alert checks were always skipped with "GITHUB_TOKEN not set" warnings across every repo that calls this workflow. Set it to `secrets.HYPATIA_SCAN_PAT || secrets.GITHUB_TOKEN`: - Prefer a fine-grained, read-only PAT inherited as an org Actions secret (HYPATIA_SCAN_PAT) -- the built-in Actions token CANNOT read Dependabot alerts (no `dependabot` permission exists for GITHUB_TOKEN). - Fall back to the built-in token so code-scanning alerts still resolve in repos where the PAT is not present yet. This silences the three warnings fleet-wide once the org secret exists. It does not change the severity gate (medium+ findings still fail CI). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01V13sGvHnaeCY5A9fF2QsDm
hyperpolymath
added a commit
to hyperpolymath/gitbot-fleet
that referenced
this pull request
Jun 26, 2026
…322) ## Summary Bumps the Hypatia scan wrapper's reusable-workflow pin from `d135b05` (pre-fix) to `e2ef79eecdd623ff631fcbf3fe0268ba4f4ce166` — the squash-merge of [standards#429](hyperpolymath/standards#429) on `standards/main`. ### Why - `d135b05` predates the alert-token fix: the reusable's "Run Hypatia scan" step set no `GITHUB_TOKEN`, so the scanner's Dependabot / code-scanning / secret-scanning checks were skipped with `GITHUB_TOKEN not set` warnings. - The interim pin `abd93c3` (the head commit of PR #429) is **not** an ancestor of `standards/main` — #429 was squash-merged as `e2ef79e` — so it tripped the governance **Workflow-Staleness** check (`abd93c3` "not a recognised ancestor of standards HEAD"). - `e2ef79e` is on `standards/main` and carries the full fix: `GITHUB_TOKEN: ${{ secrets.HYPATIA_SCAN_PAT || secrets.GITHUB_TOKEN }}` plus `--exit-zero` + `if: always()` artifact upload. This is the fleet-side counterpart to the identical re-pin in `hyperpolymath/hypatia`. > Note: fleet **actuation** uses `HYPATIA_DISPATCH_PAT` (a different token); this > change only concerns the read-only scan reusable and does not touch dispatch. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01CqWi7nt49wKrsfsTdXy8ed)_ Co-authored-by: hyperpolymath <paraordinate@yahoo.co.uk> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jul 1, 2026
…ine (#448) Canonical estate operating-doctrine statement + licence-consistency script rework (MPL-2.0 code / CC-BY-SA-4.0 prose split) + several CI reusable-workflow fixes already landed piecemeal (#429-#442) that this branch was stacked on. **Left un-armed for auto-merge deliberately** — this declares canonical estate doctrine and should be owner-ratified before merging, not auto-merged. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Across the estate, the Hypatia Security Scan CI prints three non-fatal warnings on every run:
Root cause (case c): the reusable
hypatia-scan-reusable.ymlnever setGITHUB_TOKENin theRun Hypatia scanstep. The scanner reads a single env varGITHUB_TOKEN(lib/rules/{dependabot,code_scanning,secret_scanning}_alerts.ex); empty → those three checks are skipped with warnings. It was neither a misnamed secret nor the built-in token — the env line was simply absent.Fix
Set the scan step's env:
HYPATIA_SCAN_PAT) — the built-in Actions token cannot read Dependabot alerts (nodependabotpermission exists forGITHUB_TOKEN).What this does / doesn't do
secrets: inherit, once the org secretHYPATIA_SCAN_PATexists.Required manual step (cannot be automated)
Create an organization Actions secret
HYPATIA_SCAN_PAT— fine-grained PAT, ownerhyperpolymath, read-only: Dependabot alerts: Read, Code scanning alerts: Read, Secret scanning alerts: Read, Metadata: Read. Scope to the repos that run the scan.🤖 Generated with Claude Code
Generated by Claude Code