ci: fix standalone-CI fallout — SHA-pin actions, de-trip secret scanner#604
Merged
Conversation
Follow-up to #603 (merged). Addresses the two regressions #603 introduced plus the remaining startup_failure: - Re-pin first-party actions/* to SHAs (revert the @v4 major tags). The repo enforces SHA pins — Hypatia workflow_audit flagged the @v4 refs as unpinned_action, and tag refs appear to be rejected at run-creation (the persistent startup_failure hits ci/governance/secret-scanner, while every passing simple workflow — stdlib-naming, workflow-linter, scorecard-enforcer — pins by SHA). The SHAs are the repo's existing ones; only the fictional version comments (v6.0.3 / v7.0.1) were corrected. - De-trip the standalone secret scanner: its literal PEM markers tripped the code-scanner against itself (the failing "Private Key" Hypatia alert on tools/ci/secret-scan-standalone.sh). The marker is now assembled from fragments. Also fix a latent bug — patterns starting with '-' need `grep -e`, else grep parsed them as options and silently matched nothing (verified: planted PEM + AWS keys are now detected; the tree stays clean). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
🔍 Hypatia Security ScanFindings: 71 issues detected
View findings[
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (32 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (29 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…duplicate constructor Making CI standalone let `build` run for the first time (it had been startup_failing), which surfaced a latent regression from #138: flatten_imports carried imported public TopType decls into prog_decls, but the non-Wasm backends emit Option/Result constructors from a built-in runtime preamble, so the prelude types' Some/None/Ok/Err got declared twice. Running the emitted Deno-ESM module under node failed with `SyntaxError: Identifier 'Some' has already been declared` (tests/codegen-deno: http_fetch and others). Revert the flatten_imports type-carrying. #138's load-bearing fix — Wasm constructor tags via Codegen.gen_imports, which consumes the un-flattened prog — is unaffected, and the flat backends keep emitting prelude constructors via their preamble, so imported Option/Some/None/Ok/Err still lower on every backend. Verified: dune test 458 green (incl. the #138 Wasm test); tools/run_codegen_deno_tests.sh all harnesses pass under node; run_codegen_wasm_tests.sh + face-transformer tests green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
🔍 Hypatia Security ScanFindings: 71 issues detected
View findings[
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (32 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (29 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced Jun 20, 2026
hyperpolymath
added a commit
that referenced
this pull request
Jun 20, 2026
…rs (#606) ## Deno-ESM: stop re-declaring the preamble's Option/Result constructors The locally-declared sibling of the duplicate-constructor bug fixed in #604. ### Bug The Deno-ESM runtime preamble always declares `Some`/`None`/`Ok`/`Err`. `gen_type_decl` *also* emits them for any program that **declares** `type Option`/`type Result` — including `stdlib/prelude.affine` — so the emitted module crashes under node: ``` $ affinescript compile --deno-esm -o prelude.deno.js stdlib/prelude.affine $ node prelude.deno.js SyntaxError: Identifier 'Some' has already been declared ``` It stayed latent because the #136 AOT smoke only checks the emitted module is **non-empty** — it never runs it. ### Fix Skip the variants the preamble already provides (`Some`/`None`/`Ok`/`Err`) when lowering a `TyEnum` in `codegen_deno.ml`. User-defined enums are unaffected. ### Verified ``` stdlib/prelude.affine -> deno : `const Some` ×1, runs under node ✅ (was ×2, crashed) user enum (Color=Red|Green|Blue): still emitted, runs ✅ tools/run_codegen_deno_tests.sh : all harnesses pass under node ✅ dune test : 459 green (+1 new regression test) ``` New test `Deno-ESM no duplicate Option/Result constructor` asserts `const Some` is declared exactly once — the run-under-node guard the AOT smoke lacked. ### Scope / follow-ups - This + #604 close the duplicate-constructor class on the **Deno** backend (the one executed in CI). - The **JS and C** backends show the same latent preamble/declaration duplication (2 `Some` decls) but their output isn't executed in CI — tracked as a follow-up, not fixed here. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8 --- _Generated by [Claude Code](https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8)_ Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 20, 2026
Optional housekeeping from the #138 / standalone-CI thread. Docs + regenerated test fixtures only — no source change. ### 1. `.claude/CLAUDE.md` — refresh the stale "known-failing baseline checks" Now that CI is standalone + green on `main` (#604), several entries were out of date: - `vscode-smoke` → **now passes** (self-contained; skips cleanly without the optional npm package). - `migration-assistant` → **passes on current `main`** (only red on pre-#342 bases). - `governance` → replaced by the self-contained local gate (`tools/ci/governance-standalone.sh`); the old estate `Language / package anti-pattern policy` sub-check no longer runs. - Hypatia comment counts refreshed (~43–71); clarified it's a *delta in your changed files* that matters, and the Hypatia *check* gates separately (green). - Recorded the two `startup_failure` classes that bit the repo for days so they aren't reintroduced: **(1)** the Actions "allowed actions" policy rejects **tag-pinned** refs at run-creation → pin every `uses:` to a full SHA; **(2)** BP008 reusable-caller `concurrency:` stacking. ### 2. `tests/codegen-deno/*.deno.js` — sync 3 drifted snapshots 3 of 30 committed Deno-ESM snapshots had drifted from current codegen output (runtime-preamble evolution — WASI `fd_write` import, pixi/ipc bindings); regenerated. All deno harnesses still pass under node. ### Verified `dune test` green · `tools/run_codegen_deno_tests.sh` all harnesses pass. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8 --- _Generated by [Claude Code](https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #603 (merged). #603 went in via admin bypass with red CI, so
mainis currently not green — this PR fixes that and completes "ensure standalone CI makes it through CI/CD."What was still wrong after #603
startup_failurepersisted onCI/Governance/Secret Scanner— even though Governance/Secret-Scanner became trivial (checkout+run:). Identical failure across totally different file content ⇒ not the content. The one structural difference vs the passing simple workflows (stdlib-naming,workflow-linter,scorecard-enforcer): they pinactions/checkout@<SHA>; ci: make CI standalone (drop estate reusable workflows + third-party setup action) #603 used@v4tags. The repo's "allowed actions" policy appears to reject tag refs at run-creation.tools/ci/secret-scan-standalone.sh: the scanner's literal PEM markers tripped the code-scanner against itself.unpinned_actionfindings (+15) — the@v4tags violate the repo's SHA-pinning policy (workflow_audit).Fix
actions/*to SHAs (revert@v4→ the repo's existing SHAs; only the fictional version commentsv6.0.3/v7.0.1were corrected tov4). This clears theunpinned_actionfindings and is the fix for the tag-refstartup_failure(SHA-only policy).-needgrep -e, else grep parsed them as options and silently matched nothing. Verified: planted PEM and AWS keys are now detected; the tree stays clean.Verified locally
Honest caveat
The SHA-only-policy theory is evidence-based but I can't observe GitHub's run-creation from here. This PR's own CI run is the test: if
CI/Governance/Secret Scannernow start (andbuild/lint/testrun), the theory holds. Ifstartup_failurepersists despite SHA pins, the remaining cause is an owner-side Settings → Actions → Allowed actions policy I can't change — I'll report that.Unchanged from #603 and still intentional:
hypatia-scan/spark-theatre-gate(estate-proprietary, passing),mirror(cross-forge),release.yml(cross-platform macOS matrix needsocaml/setup-ocaml).🤖 Generated with Claude Code
https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
Generated by Claude Code