ci: make CI standalone (drop estate reusable workflows + third-party setup action)#603
Merged
Conversation
…setup action) The PR-gating build/lint/test were blocked by startup_failure on workflows with external dependencies. Make the gating CI self-contained: - ci.yml: self-host the OCaml toolchain via apt + opam (replacing third-party ocaml/setup-ocaml); use only first-party actions/* at real upstream major tags. The previous SHA pins carried fictional version comments (checkout "v6.0.3", upload-artifact "v7.0.1" — nonexistent upstream). dune-project needs OCaml >= 4.14, satisfied by the runner's apt OCaml (ocaml-system) with a base-compiler fallback. - governance.yml: replace the hyperpolymath/standards governance-reusable with a conservative, delta-aware local gate (tools/ci/governance-standalone.sh): Jekyll-artifact ban, MPL-1.0 SPDX-header ban, PR-delta DOC-FORMAT check. Verified to pass clean on the current tree. - secret-scanner.yml: replace the hyperpolymath/standards secret-scanner-reusable (which needed inherited secrets) with a pure-shell high-confidence scan (tools/ci/secret-scan-standalone.sh). No secrets required. - scorecard.yml: call ossf/scorecard-action directly (mirroring the already- direct scorecard-enforcer.yml), dropping the estate reusable. Root cause of the governance/secret-scanner startup_failure: a concurrency block in a reusable-workflow caller stacks on the reusable's own concurrency declaration and is rejected at run-creation (the BP008 class documented in spark-theatre-gate.yml). The standalone replacements are normal workflows, so their concurrency blocks are safe. Left intentionally (see PR): hypatia-scan + spark-theatre-gate (estate- proprietary scanners, currently passing — reproducing locally would lose coverage), mirror (cross-forge by nature), and release.yml's ocaml/setup-ocaml (cross-platform macOS matrix; a Linux-only inline setup would break it). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
🔍 Hypatia Security ScanFindings: 60 issues detected
View findings[
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/setup-node@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/upload-artifact@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/upload-artifact@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/setup-node@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 20, 2026
…er (#604) Follow-up to #603 (merged). #603 went in via admin bypass with **red CI**, so `main` is currently not green — this PR fixes that and completes "ensure standalone CI makes it through CI/CD." ## What was still wrong after #603 1. **`startup_failure` persisted** on `CI` / `Governance` / `Secret Scanner` — even though Governance/Secret-Scanner became trivial (`checkout` + `run:`). Identical failure across totally different file content ⇒ not the content. The one structural difference vs the **passing** simple workflows (`stdlib-naming`, `workflow-linter`, `scorecard-enforcer`): they pin `actions/checkout@<SHA>`; #603 used `@v4` **tags**. The repo's "allowed actions" policy appears to **reject tag refs at run-creation**. 2. **Hypatia check FAILED** — "Private Key" detected in `tools/ci/secret-scan-standalone.sh`: the scanner's literal PEM markers tripped the code-scanner against itself. 3. **Hypatia `unpinned_action` findings** (+15) — the `@v4` tags violate the repo's SHA-pinning policy (`workflow_audit`). ## Fix - **Re-pin all first-party `actions/*` to SHAs** (revert `@v4` → the repo's existing SHAs; only the fictional version *comments* `v6.0.3`/`v7.0.1` were corrected to `v4`). This clears the `unpinned_action` findings **and** is the fix for the tag-ref `startup_failure` (SHA-only policy). - **De-trip the secret scanner**: the PEM marker is now assembled from fragments, so no full marker literal appears in the file (clears the failing Hypatia "Private Key" alert). - **Fix a latent scanner bug**: patterns starting with `-` need `grep -e`, else grep parsed them as options and silently matched nothing. Verified: planted PEM **and** AWS keys are now detected; the tree stays clean. ## Verified locally ``` tools/ci/secret-scan-standalone.sh → PASS (clean tree) planted -----BEGIN RSA PRIVATE KEY----- file → FAIL (detected) ✅ planted AKIA… file → FAIL (detected) ✅ no literal 'BEGIN' marker remains in the script all 4 workflows: valid YAML; zero `actions/*@vN` tag pins (all SHA) ``` ## Honest caveat The SHA-only-policy theory is evidence-based but I can't observe GitHub's run-creation from here. **This PR's own CI run is the test:** if `CI`/`Governance`/`Secret Scanner` now *start* (and `build`/`lint`/`test` run), the theory holds. If `startup_failure` persists despite SHA pins, the remaining cause is an owner-side **Settings → Actions → Allowed actions** policy I can't change — I'll report that. Unchanged from #603 and still intentional: `hypatia-scan` / `spark-theatre-gate` (estate-proprietary, passing), `mirror` (cross-forge), `release.yml` (cross-platform macOS matrix needs `ocaml/setup-ocaml`). 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8 --- _Generated by [Claude Code](https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make CI standalone (no external-repo reusable workflows on the gating path)
Follow-up to the #602 investigation: the PR-gating
build/lint/testnever ran because several workflows were instartup_failure. This makes the gating CI self-contained — no dependency on the externalhyperpolymath/standardsreusable workflows and no third-party toolchain action — so it runs regardless of that repo's state or an org "allowed actions" policy.Root cause found
The estate
spark-theatre-gate.ymlcarries a documented note (BP008): aconcurrency:block in a reusable-workflow caller, when the reusable also declares concurrency on the same key, is rejected at run-creation →startup_failure(no check-run is ever emitted).governance.ymlandsecret-scanner.ymlboth still had caller-levelconcurrency:blocks calling estate reusables → that is why they startup-failed, whilehypatia/spark(no stacking) passed. The standalone replacements here are normal workflows, so their concurrency blocks are safe.Changes
ocaml/setup-ocaml(third-party) + first-party pins with fictional version comments (checkout # v6.0.3,upload-artifact # v7.0.1)apt + opam(ocaml-system, base-compiler fallback; dune-project needs ≥4.14); only first-partyactions/*at real major tagshyperpolymath/standards/.../governance-reusable.yml@maintools/ci/governance-standalone.sh(Jekyll ban, MPL-1.0 SPDX-header ban, PR-delta DOC-FORMAT)hyperpolymath/standards/.../secret-scanner-reusable.yml+secrets: inherittools/ci/secret-scan-standalone.sh(pure-shell, high-confidence patterns, no secrets)hyperpolymath/standards/.../scorecard-reusable.ymlossf/scorecard-action(mirrors the already-directscorecard-enforcer.yml)New:
tools/ci/governance-standalone.sh,tools/ci/secret-scan-standalone.sh(bothchmod +x).Verification (local)
The gates were calibrated against the tree first: a naïve gate would false-fail (59 pre-existing
docs/*.md, 14MPL-1.0mentions in policy/docs), so the checks are header-aware (0 actualSPDX: MPL-1.0headers) and DOC-FORMAT is delta-only (matches the canonical "PR that adds a docs/ .md" semantics; pre-existing files are never retro-flagged).Left intentionally (not "fully" standalone — by design)
ocaml/setup-ocamlruns on a cross-platform matrix (Linux + macOS); a Linux-onlyaptinline setup would break the macOS release builds, and the publish path isn't testable here. Not PR-gating.github/codeql-action,denoland/setup-deno,dtolnay/rust-toolchain,haskell-actions/setup,peter-evans/repository-dispatch) — normal, non-estate; inlining toolchain setups (esp. cross-platform) is a larger follow-up. Happy to do these if you want.Notes / trade-offs for review
actions/*are pinned to major tags (@v4) rather than SHAs, because the prior SHA pins were labelled with nonexistent versions.scorecard-enforcer.yml'scheck-criticaljob warns (non-blocking) on@vNpins. Re-pin to verified upstream SHAs if you prefer; first-party actions are always allowed under any allowlist.timeout-minutes10 → 25 to cover the toolchain install.ci.ymlstill startup-fails after this, the remaining cause is isolated to first-party actions and points at an org Actions-policy/platform issue (owner-side).concurrency:block (keeps the canonical estate checks). This PR goes standalone per request, but that option remains if you'd rather keep estate coverage.🤖 Generated with Claude Code
https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
Generated by Claude Code