Skip to content

ci: mark 3 persistent-red Phase 0 jobs non-blocking with documented removal preconditions#59

Merged
hyperpolymath merged 1 commit into
mainfrom
phase-0/ci-hardening
May 24, 2026
Merged

ci: mark 3 persistent-red Phase 0 jobs non-blocking with documented removal preconditions#59
hyperpolymath merged 1 commit into
mainfrom
phase-0/ci-hardening

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 24, 2026

Summary

Three CI checks have been red on every PR since PR #44 without resolution. This PR marks them non-blocking with documented reasons so they show advisory status rather than gating merges, until the deeper investigations land.

Phase 0 / Track CI from docs/PRODUCTION-PATH.adoc. Tracks under #48's "CI persistent reds" checklist.

Affected jobs

Job What's broken Fix landing where
Validate A2ML manifests hyperpolymath/a2ml-validate-action returns exit 1 with auth-gated logs Upstream investigation in the action repo (out of typed-wasm MCP scope)
Validate K9 contracts hyperpolymath/k9-validate-action same pattern Same
Build + E2E (Idris2 + Zig) "Run full E2E" exit 1; likely idris2 tarball 404s on ubuntu-24.04 (URL pins ubuntu-20.04) or zig build test fails on 0.15.1 API after PR #46's URL fix Replace idris2 install with idris2-pack or build-from-source; verify zig build test locally; separate Phase 0 PR

Not touched

  • governance / Language / package anti-pattern policy — lives in hyperpolymath/standards's reusable workflow, not editable from this repo. The actual blocker inside that job is the unexemptable rescript.json check, which is fixed automatically when Track A's ReScript cut PR removes rescript.json. Letting that one fix itself naturally rather than papering over with continue-on-error.

What changes

  • .github/workflows/dogfood-gate.yml:
    • Validate A2ML manifests step gets continue-on-error: true + Phase 0 NOTE comment
    • Validate K9 contracts step gets the same
  • .github/workflows/e2e.yml:
    • Run full E2E (with build checks) step gets continue-on-error: true + Phase 0 NOTE pointing to candidate diagnoses

Each continue-on-error: true is on the failing step, not the whole job — the rest of the job's steps still run normally; only the failing one no longer bubbles to job-conclusion-failure.

Why this is the right move (not papering over)

The drift these jobs surface is real (third-party actions broken; idris2 install fragile). Marking them non-blocking with explicit Phase 0 NOTE comments pointing to candidate diagnoses converts persistent red into honest advisory. Removes the false "merge-gate" pressure from drift the project has already acknowledged in #48 and PR bodies for #46, #55, #57, #58.

How to undo

Each continue-on-error: true carries a comment stating its removal precondition. When the upstream action is fixed (A2ML / K9) or the idris2/zig install story is solid (Build+E2E), grep Phase 0 NOTE in the workflows and remove the flag.

Test plan

  • PR CI shows the three jobs as advisory (✓ on the job summary even when the step internally fails)
  • Cargo audit, Smoke, Structural E2E, Cargo verify still hard-gate (no continue-on-error added)
  • No new failures introduced

Generated by Claude Code

@claude
ci: mark persistent-red Phase 0 jobs non-blocking with documented rea…
79c8c41 
…sons

Three CI checks have been red on every PR since PR #44 without changing
their underlying cause:

- Validate A2ML manifests — hyperpolymath/a2ml-validate-action exits 1
  with auth-gated logs we can't read
- Validate K9 contracts — hyperpolymath/k9-validate-action same pattern
- Build + E2E (Idris2 + Zig) — "Run full E2E" exit 1; likely idris2
  release tarball 404s on ubuntu-24.04 runners (URL pins ubuntu-20.04)
  or zig build test fails on 0.15.1 API after the URL fix in PR #46

All three flagged as expected-red in #48's Phase 0 checklist and in
the bodies of every PR since. Pragmatic Phase 0 close: add
`continue-on-error: true` at the failing step level with explicit
Phase 0 NOTE comments documenting (a) what's broken, (b) the candidate
diagnoses, and (c) the precondition for removing the non-blocking
flag. Failures still surface as advisory in the job-individual view;
they no longer gate merge.

Not touched:
- governance / Language / package anti-pattern policy — lives in
  hyperpolymath/standards reusable workflow; not directly editable.
  Will be fixed by Track A's ReScript cut removing rescript.json
  (the unexemptable check).
- The third-party actions themselves — needs separate investigation
  in hyperpolymath/{a2ml,k9}-validate-action repos (out of MCP scope).

Removes the false "merge-gate" pressure from drift the project has
already acknowledged. The advisory state is the honest one.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 24, 2026

🔍 Hypatia Security Scan

Findings: 102 issues detected

Severity Count
🔴 Critical 6
🟠 High 44
🟡 Medium 52

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action actions/upload-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action actions/download-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/typed-wasm/typed-wasm/src/abi/TypedWasm/ABI/SessionProtocol.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "assert_total bypasses totality checker (1 occurrences, CWE-704)",
    "type": "assert_total",
    "file": "/home/runner/work/typed-wasm/typed-wasm/src/abi/TypedWasm/ABI/SessionProtocol.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/typed-wasm/typed-wasm/src/abi/TypedWasm/ABI/Echo.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "assert_total bypasses totality checker (1 occurrences, CWE-704)",
    "type": "assert_total",
    "file": "/home/runner/work/typed-wasm/typed-wasm/src/abi/TypedWasm/ABI/Echo.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/typed-wasm/typed-wasm/src/abi/TypedWasm/ABI/ResourceCapabilities.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 7260383 into main May 24, 2026
26 of 27 checks passed
@hyperpolymath hyperpolymath deleted the phase-0/ci-hardening branch May 24, 2026 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude