You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Two checks fail across hyperpolymath repos that consume the shared reusable workflows in hyperpolymath/standards:
scan / Hypatia Neurosymbolic Analysis fails in ~3s: Unable to resolve action actions/cache@d4373f267a887d77f9eb0683a479ec60b1fe5b2b, unable to find version d4373f26…
governance / Check Workflow Staleness fails.
Root cause
Consumers call three reusables via thin caller stubs: uses: hyperpolymath/standards/.github/workflows/{hypatia-scan,governance,scorecard}-reusable.yml@<sha>.
The pinned <sha>s are stale: at those old commits, hypatia-scan-reusable.yml pins a non-existentactions/cache@d4373f26…. standards@main (4ddc926b4b86451c2711a16bf927ed16ad2db45e) already fixes it → actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0. The staleness gate (governance-reusable.yml → scripts/check-workflow-staleness.sh) then flags the stale refs.
A naive SHA bump is not sufficient: hypatia-scan-reusable.yml's workflow_call interface also changed —
NEW (@main): no inputs, permissions: { security-events: read }
Pinning convention (decided)
Immutable full-SHA, pin all three reusables to standards@4ddc926b4b86451c2711a16bf927ed16ad2db45e. Rationale: every estate caller stub uses a 40-char SHA, and hypatia's own security policy mandates SHA-pinned dependencies — a moving @v1 tag would cut against the norm.
Proposed caller-stub fixes (grounded in the in-scope twins; verify interface against standards@4ddc926b before merge)
hypatia-scan.yml (the interface-changed one):
permissions:
contents: readsecurity-events: read # was: write; drop `pull-requests: write`jobs:
hypatia:
uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@4ddc926b4b86451c2711a16bf927ed16ad2db45esecrets: inherittimeout-minutes: 30# If the old stub had `with: { runs-on: … }` — delete it (new interface takes no inputs)
governance.yml / scorecard.yml — SHA-bump only (interfaces not reported changed; keep scorecard's security-events: write + id-token: write for SARIF upload):
gitbot-fleetmain: hypatia-scan.yml is already at an intermediate@6cd3772824e59c8c9affeab66061e25383544242 (not the broken 915139d7, not the fixed 4ddc926b). Status unknown — needs comparison against standards history to know if 6cd37728 carries the valid cache pin or still needs bumping.
Confirm hypatia-scan-reusable.yml@4ddc926b pins actions/cache@1bd1e32a…, and its on.workflow_call declares no inputs + security-events: read, and still accepts secrets: inherit.
Read scripts/check-workflow-staleness.sh to learn exactly what it compares (target ref/tag vs. consumer pins) and whether it requires a .hypatia-baseline.json (both in-scope repos have one — consumers likely each need one).
Confirm governance-reusable.yml / scorecard-reusable.yml@4ddc926b interfaces didn't also change.
Confirm whether standards publishes a moving tag and whether the staleness script prefers it (recommendation stands: SHA).
Acceptance
On a test PR in a consuming repo: scan / Hypatia Neurosymbolic Analysis resolves its actions and runs (no "Unable to resolve action"), and governance / Check Workflow Staleness passes.
Scope note
This needs hyperpolymath/standards + verisimdb + quandledb + vcl-ut in the working session's GitHub scope. The session that filed this was limited to hypatia/gitbot-fleet/.git-private-farm and the add_repo tool was unavailable, so neither the source nor the named consumers could be read or edited.
Symptom (estate-wide, on every PR/push)
Two checks fail across hyperpolymath repos that consume the shared reusable workflows in
hyperpolymath/standards:scan / Hypatia Neurosymbolic Analysisfails in ~3s:Unable to resolve action actions/cache@d4373f267a887d77f9eb0683a479ec60b1fe5b2b, unable to find version d4373f26…governance / Check Workflow Stalenessfails.Root cause
Consumers call three reusables via thin caller stubs:
uses: hyperpolymath/standards/.github/workflows/{hypatia-scan,governance,scorecard}-reusable.yml@<sha>.The pinned
<sha>s are stale: at those old commits,hypatia-scan-reusable.ymlpins a non-existentactions/cache@d4373f26….standards@main(4ddc926b4b86451c2711a16bf927ed16ad2db45e) already fixes it →actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0. The staleness gate (governance-reusable.yml→scripts/check-workflow-staleness.sh) then flags the stale refs.A naive SHA bump is not sufficient:
hypatia-scan-reusable.yml'sworkflow_callinterface also changed —@915139d7):inputs: { runs-on },permissions: { security-events: write, pull-requests: write }@main): no inputs,permissions: { security-events: read }Pinning convention (decided)
Immutable full-SHA, pin all three reusables to
standards@4ddc926b4b86451c2711a16bf927ed16ad2db45e. Rationale: every estate caller stub uses a 40-char SHA, and hypatia's own security policy mandates SHA-pinned dependencies — a moving@v1tag would cut against the norm.Proposed caller-stub fixes (grounded in the in-scope twins; verify interface against
standards@4ddc926bbefore merge)hypatia-scan.yml(the interface-changed one):governance.yml/scorecard.yml— SHA-bump only (interfaces not reported changed; keep scorecard'ssecurity-events: write+id-token: writefor SARIF upload):Per-consumer pin map
915139d7→4ddc926b861b5e91→4ddc926be0caf115→4ddc926b5a93d9d5→4ddc926b5a93d9d5→4ddc926b5a93d9d5→4ddc926b2569c10e→4ddc926b@main→4ddc926b(pin the moving ref)e0caf115→4ddc926bIn-scope consumer status (read live this session)
main:hypatia-scan.ymlis already at an intermediate@6cd3772824e59c8c9affeab66061e25383544242(not the broken915139d7, not the fixed4ddc926b). Status unknown — needs comparison againststandardshistory to know if6cd37728carries the valid cache pin or still needs bumping.main:hypatia-scan.ymlat@5eb28d7d…; itsHypatia Neurosymbolic Analysischeck passed on PR docs(status): session handover snapshot 2026-06-20 #517, so likely already OK — verify.Verification checklist (requires
standardsscope)hypatia-scan-reusable.yml@4ddc926bpinsactions/cache@1bd1e32a…, and itson.workflow_calldeclares no inputs +security-events: read, and still acceptssecrets: inherit.scripts/check-workflow-staleness.shto learn exactly what it compares (target ref/tag vs. consumer pins) and whether it requires a.hypatia-baseline.json(both in-scope repos have one — consumers likely each need one).governance-reusable.yml/scorecard-reusable.yml@4ddc926binterfaces didn't also change.standardspublishes a moving tag and whether the staleness script prefers it (recommendation stands: SHA).Acceptance
On a test PR in a consuming repo:
scan / Hypatia Neurosymbolic Analysisresolves its actions and runs (no "Unable to resolve action"), andgovernance / Check Workflow Stalenesspasses.Scope note
This needs
hyperpolymath/standards+verisimdb+quandledb+vcl-utin the working session's GitHub scope. The session that filed this was limited tohypatia/gitbot-fleet/.git-private-farmand theadd_repotool was unavailable, so neither the source nor the named consumers could be read or edited.Related
standards#191(reusable design), wire reusable_workflow_sha_bump_needs_propagation rule: rule exists, registry+dispatch wiring missing #421 (reusable_workflow_sha_bump_needs_propagationdetector rule — the rule that should catch this class automatically).