ci: make the four required status checks reportable on every PR#645
Merged
Conversation
Four branch-protection-required checks sit permanently at "Expected —
Waiting for status to be reported" because the contexts they pin are only
conditionally produced:
- analyze (actions, none) codeql.yml gated to base main/master
- hypatia / Hypatia Neurosymbolic Analysis hypatia-scan.yml gated to base main/master
- Hypatia GitHub App check (rides on the scan)
- governance / Validate Hypatia baseline emitted by the standards governance
reusable; this repo runs a standalone
`governance` job (#603/#604) instead
This fixes the repo-side of the mismatch:
* codeql.yml / hypatia-scan.yml: drop the pull_request `branches:[main,master]`
filter so the required jobs run on PRs against every base. A required check
whose workflow is branch-filtered is never created, so it blocks forever.
* Add governance-baseline.yml + governance-baseline-impl.yml: a LOCAL reusable
(no cross-repo @main coupling, no BP008 concurrency collision) whose
`governance` / "Validate Hypatia baseline" job re-emits the pinned context
name without disturbing the standalone governance gate. Additive: the repo
now emits both `governance` and `governance / Validate Hypatia baseline`.
The `Hypatia` app check and any other pinned `governance / *` sub-checks remain
a branch-protection reconciliation (repoint pins to emitted names) needing
repo-admin access; documented in the PR.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26
🔍 Hypatia Security ScanFindings: 41 issues detected
View findings[
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (32 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (29 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (3 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced Jun 21, 2026
Open
hyperpolymath
added a commit
to hyperpolymath/hypatia
that referenced
this pull request
Jun 21, 2026
## What Removes the `pull_request: branches:[main, master]` filter from `codeql.yml` and `hypatia-scan.yml` so their **required** jobs — `analyze (actions, none)` / `analyze (javascript-typescript, none)` and `hypatia / Hypatia Neurosymbolic Analysis` — report on PRs against **every** base. `push:` and `schedule:` triggers are unchanged. ## Why A required status check whose workflow is branch-filtered is never *created* on a non-matching base, so the PR sits permanently at *"Expected — Waiting for status to be reported"* — a silent merge block indistinguishable from a hang. This mirrors hyperpolymath/affinescript#645, which diagnosed and fixed the same class. No governance change is needed here: this repo still emits `governance / Validate Hypatia baseline` natively via the `standards` reusable (verified on a recent PR), so only the two branch-gated workflows needed de-gating. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26 --- _Generated by [Claude Code](https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26)_ Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 21, 2026
## What Documents the CI failure class diagnosed and fixed in #645 (merged), so it doesn't have to be re-derived next time. - **`docs/ci/required-checks.adoc`** (new) — the *"Expected — Waiting for status to be reported"* trap: what it means (a required context never reported ≠ a failure), the three mechanisms that cause it (branch-filtered workflow / renamed-migrated job / external app check), a diagnosis recipe (`get_check_runs` vs the required pins), the guardrail rule, and the estate required-vs-emitted matrix. - **`.machine_readable/6a2/PLAYBOOK.a2ml`** — new `[ci-required-checks]` operational entry pointing at the doc + tracking issue. ## Why This is the "sketch area + human/machine documentation" half of the close-out for the required-checks work. The fix itself shipped in #645; this preserves the *reasoning* and the *rule* (a context may be marked Required only if it is emitted unconditionally on every PR that can target the protected branch). Refs #645 · #650 (pin reconciliation) · hyperpolymath/hypatia#519 (`Hypatia` app check). DOC-FORMAT-compliant (`.adoc`). 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26 --- _Generated by [Claude Code](https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26)_ Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/gitbot-fleet
that referenced
this pull request
Jun 21, 2026
## What Removes the `pull_request: branches:[main, master]` filter from `codeql.yml` and `hypatia-scan.yml` so their **required** jobs — `analyze (actions, none)` / `analyze (rust, none)` and `hypatia / Hypatia Neurosymbolic Analysis` — report on PRs against **every** base. `push:` and `schedule:` triggers are unchanged. ## Why A required status check whose workflow is branch-filtered is never *created* on a non-matching base, so the PR sits permanently at *"Expected — Waiting for status to be reported"* — a silent merge block indistinguishable from a hang. Observed live on this repo: PR #307 had **no** `hypatia / Hypatia Neurosymbolic Analysis` and **no** `Hypatia` check at all. This mirrors hyperpolymath/affinescript#645, which diagnosed and fixed the same class. No governance change is needed here — this repo still emits `governance / Validate Hypatia baseline` natively via the `standards` reusable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26 --- _Generated by [Claude Code](https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The merge box shows four required checks stuck at "Expected — Waiting for status to be reported". This push confirmed it server-side:
"Expected" is not a failure — it means a required context name was never reported on the head commit. Each of the four is produced by a different mechanism, and each can independently fail to report (proven against live PRs: affinescript #626, hypatia #517, gitbot-fleet #307):
analyze (actions, none)codeql.ymljobanalyzepull_request:was gated tobranches:[main,master]→ no run on other bases → check never createdhypatia / Hypatia Neurosymbolic Analysishypatia-scan.ymlreusable callerhypatiaHypatiagovernance / Validate Hypatia baselinestandardsgovernance reusable (jobgovernance/ "Validate Hypatia baseline")governancejob (#603/#604), which emits the contextgovernanceinstead — so the pinned name is orphaned and can never reportRoot cause (one line): branch protection pins context strings that this repo only conditionally emits — a renamed job, branch-filtered workflows, and an external app — and GitHub renders any required-but-unproduced context as a permanent "Expected", indistinguishable from a hang.
What this PR changes (repo-side fix)
codeql.yml— droppull_request: branches:[main,master]. The requiredanalyze (actions, none)job now runs on PRs against every base. (push:unchanged.)hypatia-scan.yml— same de-gate, sohypatia / Hypatia Neurosymbolic Analysisruns on every PR base (and theHypatiaapp check rides along).governance-baseline.yml+governance-baseline-impl.yml(new) — a local reusable whose caller job idgovernance+ reusable jobValidate Hypatia baselinere-emit the exact pinned contextgovernance / Validate Hypatia baseline, on every PR. It is:governance.ymlgate is untouched; the repo now emits bothgovernanceandgovernance / Validate Hypatia baseline;@maincross-repo coupling) and declares noconcurrency:in the reusable (avoids the BP008 startup-failure class);.hypatia-baseline.jsonwithjq(no npm) when present; passes with a notice when absent (this repo's current state).Residuals that need branch-protection admin (cannot be done from repo files)
Hypatiaapp check: de-gating the scan is the best repo-side lever, but the app posting is ultimately external. If it still shows "Expected" on some PRs, either make it post unconditionally or de-require it.governance / Validate Hypatia baseline→governance, and confirm no othergovernance / *sub-checks (the reusable emits 8) are still pinned from the pre-ci: make CI standalone (drop estate reusable workflows + third-party setup action) #603/ci: fix standalone-CI fallout — SHA-pin actions, de-trip secret scanner #604 era. The local-reusable bridge here exists only so the box can go green without that admin access; if you'd rather repoint the pin, this bridge can be dropped.Verification
This PR's own run should now report all four contexts instead of leaving them "Expected";
governance / Validate Hypatia baselineis self-demonstrating (the new workflow runs on this PR). I'll confirm from the check-runs once they land.Estate note
codeql.yml/hypatia-scan.ymlcarry the identicalbranches:[main,master]PR gate inhypatia,gitbot-fleet, and.git-private-farm; the same de-gate applies there. Thegovernancedivergence is affinescript-only — the other three still call the reusable and emitgovernance / Validate Hypatia baselinenatively.🤖 Generated with Claude Code
https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26
Generated by Claude Code