chore(dune-project): restore symlink to .build/dune-project#307
Merged
Conversation
The relicense sweep (#304) used `sed -i` which atomic-rename-replaces the target file, breaking the symlink: `dune-project` flipped from mode 120000 (symlink) to 100644 (regular file). Both files have been content-identical since, so nothing's broken — but the symlink was the original repo layout (presumably so dune's per-package `(version …)` + opam regeneration lives under `.build/` alongside other build-output staging). Restore it: `dune-project` is once again a symlink to `.build/dune-project`. Verified post-restore: `dune build --release` clean, binary `--version` reports `0.1.1`. Single behavioural change is that an edit to either path now propagates to the other again, as originally intended. If a future bulk sed across the repo encounters this symlink again, the safe pattern is to operate on `git ls-files` (which lists each symlink only once via its declared path) — or to edit `.build/dune-project` directly, which keeps the symlink intact. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 42 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/example/smoke_driver.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/cli.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 21, 2026
## Problem The merge box shows four **required** checks stuck at *"Expected — Waiting for status to be reported"*. This push confirmed it server-side: ``` - 4 of 4 required status checks are expected. ``` "Expected" is **not** a failure — it means a required context name was *never reported on the head commit*. Each of the four is produced by a different mechanism, and each can independently fail to report (proven against live PRs: affinescript #626, hypatia #517, gitbot-fleet #307): | Required context | Producer | Why it can sit "Expected" | |---|---|---| | `analyze (actions, none)` | `codeql.yml` job `analyze` | `pull_request:` was gated to `branches:[main,master]` → no run on other bases → check never created | | `hypatia / Hypatia Neurosymbolic Analysis` | `hypatia-scan.yml` reusable caller `hypatia` | same branch gate | | `Hypatia` | Hypatia **GitHub App** check | external; rides on the scan — absent on PRs where the scan didn't run (e.g. gitbot-fleet #307) | | `governance / Validate Hypatia baseline` | the **`standards` governance reusable** (job `governance` / "Validate Hypatia baseline") | this repo migrated off that reusable to a standalone `governance` job (#603/#604), which emits the context **`governance`** instead — so the pinned name is **orphaned and can never report** | Root cause (one line): **branch protection pins context strings that this repo only *conditionally* emits** — a renamed job, branch-filtered workflows, and an external app — and GitHub renders any required-but-unproduced context as a permanent "Expected", indistinguishable from a hang. ## What this PR changes (repo-side fix) 1. **`codeql.yml`** — drop `pull_request: branches:[main,master]`. The required `analyze (actions, none)` job now runs on PRs against **every** base. (`push:` unchanged.) 2. **`hypatia-scan.yml`** — same de-gate, so `hypatia / Hypatia Neurosymbolic Analysis` runs on every PR base (and the `Hypatia` app check rides along). 3. **`governance-baseline.yml` + `governance-baseline-impl.yml`** (new) — a **local reusable** whose caller job id `governance` + reusable job `Validate Hypatia baseline` re-emit the exact pinned context `governance / Validate Hypatia baseline`, on every PR. It is: - **additive** — the standalone `governance.yml` gate is untouched; the repo now emits both `governance` and `governance / Validate Hypatia baseline`; - **safe vs. the reasons #603/#604 left the reusable** — it's *local* (no `@main` cross-repo coupling) and declares **no** `concurrency:` in the reusable (avoids the BP008 startup-failure class); - **a real gate** — validates `.hypatia-baseline.json` with `jq` (no npm) when present; passes with a notice when absent (this repo's current state). ## Residuals that need branch-protection admin (cannot be done from repo files) - **`Hypatia` app check**: de-gating the scan is the best repo-side lever, but the app posting is ultimately external. If it still shows "Expected" on some PRs, either make it post unconditionally or **de-require** it. - **Pin reconciliation (the cleaner fix)**: the truly correct change is to repoint the pins to the names this repo actually emits — `governance / Validate Hypatia baseline` → `governance`, and confirm no *other* `governance / *` sub-checks (the reusable emits 8) are still pinned from the pre-#603/#604 era. The local-reusable bridge here exists only so the box can go green **without** that admin access; if you'd rather repoint the pin, this bridge can be dropped. ## Verification This PR's own run should now report all four contexts instead of leaving them "Expected"; `governance / Validate Hypatia baseline` is self-demonstrating (the new workflow runs on this PR). I'll confirm from the check-runs once they land. ## Estate note `codeql.yml` / `hypatia-scan.yml` carry the identical `branches:[main,master]` PR gate in `hypatia`, `gitbot-fleet`, and `.git-private-farm`; the same de-gate applies there. The `governance` divergence is **affinescript-only** — the other three still call the reusable and emit `governance / Validate Hypatia baseline` natively. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26 --- _Generated by [Claude Code](https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The relicense sweep (#304) used
sed -i, which atomic-rename-replaces the target file and breaks symlinks.dune-projectflipped from mode 120000 (symlink) → 100644 (regular file). Both files have been content-identical since, so nothing was broken — but the symlink was the original repo layout (likely so dune's per-package(version …)+ opam regeneration co-located with other build-output staging under.build/).Restore it:
dune-project→.build/dune-project. Mode flips back: 100644 → 120000.Verification
dune build --releaseclean post-restore.--version→0.1.1.ls -la dune-projectshowslrwxrwxrwx … dune-project -> .build/dune-project.Tip for future bulk sed
If you ever need to relicense / mass-edit across the repo again, use one of:
git ls-files(lists each symlink once via its declared path; sed on the symlink path will write through to the target — but it'll still atomic-rename and break the link)..build/dune-projectdirectly, leaving the top-level symlink alone.find -L … -type f | xargs sed -i --follow-symlinks(if your sed supports--follow-symlinksit writes back through the link rather than replacing it).🤖 Generated with Claude Code