chore: refresh stale CI notes + sync drifted Deno fixtures#608
Merged
Conversation
- .claude/CLAUDE.md: update the "known-failing baseline checks" section. vscode-smoke and migration-assistant now pass; governance is now a self-contained local gate (#603/#604) so the old estate "Language / package anti-pattern policy" sub-check no longer runs; Hypatia comment counts refreshed. Record the two startup_failure classes now that CI is standalone + green on main (#604): the Actions allowed-actions policy rejects tag-pinned refs at run-creation (pin to full SHA), and BP008 reusable-caller concurrency stacking. - tests/codegen-deno/*.deno.js: regenerate 3 committed snapshots that had drifted from current codegen output (runtime-preamble evolution — WASI fd_write import, pixi/ipc bindings). All deno harnesses still pass under node. Docs + regenerated test fixtures only; no source change. dune test green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
🔍 Hypatia Security ScanFindings: 43 issues detected
View findings[
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (32 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (29 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Optional housekeeping from the #138 / standalone-CI thread. Docs + regenerated test fixtures only — no source change.
1.
.claude/CLAUDE.md— refresh the stale "known-failing baseline checks"Now that CI is standalone + green on
main(#604), several entries were out of date:vscode-smoke→ now passes (self-contained; skips cleanly without the optional npm package).migration-assistant→ passes on currentmain(only red on pre-ci(migration-assistant): fix smoke-parse for tree-sitter-cli 0.25 #342 bases).governance→ replaced by the self-contained local gate (tools/ci/governance-standalone.sh); the old estateLanguage / package anti-pattern policysub-check no longer runs.startup_failureclasses that bit the repo for days so they aren't reintroduced: (1) the Actions "allowed actions" policy rejects tag-pinned refs at run-creation → pin everyuses:to a full SHA; (2) BP008 reusable-callerconcurrency:stacking.2.
tests/codegen-deno/*.deno.js— sync 3 drifted snapshots3 of 30 committed Deno-ESM snapshots had drifted from current codegen output (runtime-preamble evolution — WASI
fd_writeimport, pixi/ipc bindings); regenerated. All deno harnesses still pass under node.Verified
dune testgreen ·tools/run_codegen_deno_tests.shall harnesses pass.🤖 Generated with Claude Code
https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
Generated by Claude Code