Skip to content

fix(ci): pass GITHUB_TOKEN to Hypatia scanner in reusable workflow#429

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/hypatia-token-setup-uobc42
Jun 26, 2026
Merged

fix(ci): pass GITHUB_TOKEN to Hypatia scanner in reusable workflow#429
hyperpolymath merged 1 commit into
mainfrom
claude/hypatia-token-setup-uobc42

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Problem

Across the estate, the Hypatia Security Scan CI prints three non-fatal warnings on every run:

Warning: Dependabot alerts unavailable: GITHUB_TOKEN not set
Warning: Secret-scanning alerts unavailable: GITHUB_TOKEN not set
Warning: Code-scanning alerts unavailable: GITHUB_TOKEN not set

Root cause (case c): the reusable hypatia-scan-reusable.yml never set GITHUB_TOKEN in the Run Hypatia scan step. The scanner reads a single env var GITHUB_TOKEN (lib/rules/{dependabot,code_scanning,secret_scanning}_alerts.ex); empty → those three checks are skipped with warnings. It was neither a misnamed secret nor the built-in token — the env line was simply absent.

Fix

Set the scan step's env:

GITHUB_TOKEN: ${{ secrets.HYPATIA_SCAN_PAT || secrets.GITHUB_TOKEN }}
  • Prefer a fine-grained, read-only PAT inherited as an org Actions secret (HYPATIA_SCAN_PAT) — the built-in Actions token cannot read Dependabot alerts (no dependabot permission exists for GITHUB_TOKEN).
  • Fall back to the built-in token so code-scanning alerts still resolve in repos where the PAT isn't present yet.

What this does / doesn't do

  • ✅ Silences the three warnings fleet-wide via secrets: inherit, once the org secret HYPATIA_SCAN_PAT exists.
  • ❌ Does not change the severity gate — medium+ findings still fail CI. (The exit-1 is the findings, not the token.)

Required manual step (cannot be automated)

Create an organization Actions secret HYPATIA_SCAN_PAT — fine-grained PAT, owner hyperpolymath, read-only: Dependabot alerts: Read, Code scanning alerts: Read, Secret scanning alerts: Read, Metadata: Read. Scope to the repos that run the scan.

🤖 Generated with Claude Code


Generated by Claude Code

The reusable scan workflow never set GITHUB_TOKEN in the "Run Hypatia scan"
step, so the scanner's Dependabot / code-scanning / secret-scanning alert
checks were always skipped with "GITHUB_TOKEN not set" warnings across every
repo that calls this workflow.

Set it to `secrets.HYPATIA_SCAN_PAT || secrets.GITHUB_TOKEN`:

- Prefer a fine-grained, read-only PAT inherited as an org Actions secret
  (HYPATIA_SCAN_PAT) -- the built-in Actions token CANNOT read Dependabot
  alerts (no `dependabot` permission exists for GITHUB_TOKEN).
- Fall back to the built-in token so code-scanning alerts still resolve in
  repos where the PAT is not present yet.

This silences the three warnings fleet-wide once the org secret exists. It
does not change the severity gate (medium+ findings still fail CI).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V13sGvHnaeCY5A9fF2QsDm
@hyperpolymath hyperpolymath marked this pull request as ready for review June 26, 2026 18:34
@hyperpolymath hyperpolymath merged commit e2ef79e into main Jun 26, 2026
22 of 35 checks passed
hyperpolymath added a commit to hyperpolymath/gitbot-fleet that referenced this pull request Jun 26, 2026
…322)

## Summary

Bumps the Hypatia scan wrapper's reusable-workflow pin from `d135b05`
(pre-fix)
to `e2ef79eecdd623ff631fcbf3fe0268ba4f4ce166` — the squash-merge of
[standards#429](hyperpolymath/standards#429) on
`standards/main`.

### Why

- `d135b05` predates the alert-token fix: the reusable's "Run Hypatia
scan" step
  set no `GITHUB_TOKEN`, so the scanner's Dependabot / code-scanning /
secret-scanning checks were skipped with `GITHUB_TOKEN not set`
warnings.
- The interim pin `abd93c3` (the head commit of PR #429) is **not** an
ancestor
of `standards/main` — #429 was squash-merged as `e2ef79e` — so it
tripped the
governance **Workflow-Staleness** check (`abd93c3` "not a recognised
ancestor
  of standards HEAD").
- `e2ef79e` is on `standards/main` and carries the full fix:
`GITHUB_TOKEN: ${{ secrets.HYPATIA_SCAN_PAT || secrets.GITHUB_TOKEN }}`
plus
  `--exit-zero` + `if: always()` artifact upload.

This is the fleet-side counterpart to the identical re-pin in
`hyperpolymath/hypatia`.

> Note: fleet **actuation** uses `HYPATIA_DISPATCH_PAT` (a different
token); this
> change only concerns the read-only scan reusable and does not touch
dispatch.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---
_Generated by [Claude
Code](https://claude.ai/code/session_01CqWi7nt49wKrsfsTdXy8ed)_

Co-authored-by: hyperpolymath <paraordinate@yahoo.co.uk>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
hyperpolymath added a commit that referenced this pull request Jul 1, 2026
…ine (#448)

Canonical estate operating-doctrine statement + licence-consistency
script rework (MPL-2.0 code / CC-BY-SA-4.0 prose split) + several CI
reusable-workflow fixes already landed piecemeal (#429-#442) that this
branch was stacked on.

**Left un-armed for auto-merge deliberately** — this declares canonical
estate doctrine and should be owner-ratified before merging, not
auto-merged.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants