ci(governance): pin governance-reusable to standards@main SHA#32
Merged
Conversation
Pins governance.yml's reusable-workflow ref from the moving @main to the commit it currently resolves to, 78b29005efe954822c86c553b40523b9fdae78d4 (read from the passing run's referenced_workflows metadata). Clears the OpenSSF Pinned-Dependencies / DependencyPinning finding. This is the CURRENT, fixed standards bundle (identical to what has been passing as @main) -- not the broken e0caf115 commit #31 had to revert (that older version checked out standards at the caller's SHA). Trade-off: governance no longer auto-tracks standards@main; bump this SHA when the standards bundle updates. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5
🔍 Hypatia Security ScanFindings: 9 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/wokelangiser/wokelangiser/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/wokelangiser/wokelangiser/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in wokelangiser: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/wokelangiser/wokelangiser",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in wokelangiser",
"type": "DependencyPinning",
"file": "/home/runner/work/wokelangiser/wokelangiser",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
},
{
"reason": "Repository has 11 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/scorecard_publish_with_run_step -- Hypatia workflow_audit: scorecard_publish_with_run_step -- 20 day(s) old [STALE]",
"type": "CSA001",
"file": "scorecard-enforcer.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code-scanning alert hypatia/workflow_audit/scorecard_publish_with_run_step (high) at scorecard-enforcer.yml is 20 days old (threshold: 7 days) -- overdue for remediation",
"type": "CSA003",
"file": "scorecard-enforcer.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Source file missing SPDX-License-Identifier header",
"type": "SD009",
"file": "src/interface/ffi/src/main.zig",
"action": "add_spdx_header",
"rule_module": "structural_drift",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Completes the
DependencyPinningitem #31 had to defer.Change
governance.yml— pin the reusable-workflow ref:governance-reusable.yml@main→@78b29005efe954822c86c553b40523b9fdae78d4The SHA is what
@maincurrently resolves to, read from the passing governance run'sreferenced_workflowsmetadata — i.e. the current, fixed standards bundle (identical content to what's been passing as@main). This is not the brokene0caf115commit #31 had to revert (that older version checked outstandardsat the caller's SHA →fatal: not our ref).Why this is safe
@mainresolves to right now, so the workflow content is byte-identical to the runs that have been passing → governance CI stays green, and this PR's owngovernance / *checks validate the pin.Pinned-Dependencies/DependencyPinning.Trade-off
Governance no longer auto-tracks
standards@main; bump this SHA when the standards governance bundle updates (the inline# standards@main, pinned 2026-06-20comment flags it for maintainers).🤖 Generated with Claude Code
https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5
Generated by Claude Code