ci(hypatia-scan): drop timeout-minutes from the reusable-caller job (the real 0-jobs fix)#65
Merged
Merged
Conversation
A job that uses a reusable workflow (jobs.<id>.uses) may not declare timeout-minutes — GitHub rejects the file as invalid ("Unexpected value 'uses'/'secrets'; Required property is missing: runs-on"), so the workflow never parsed and every run produced 0 jobs, at every pin. This is why nextgen-* stayed 0-jobs while eclexia/Axiom (no timeout-minutes) worked. Removing the line makes the caller valid; the reusable enforces its own per-job timeout.
Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PWMMxryCcPrAjJ8tuGvygG
🔍 Hypatia Security ScanFindings: 30 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in rsr-antipattern.yml",
"type": "unanchored_heading_regex",
"file": "rsr-antipattern.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in nextgen-typing: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/nextgen-typing/nextgen-typing",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 6 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): FuzzingID -- Fuzzing -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): MaintainedID -- Maintained -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Scorecard): CodeReviewID -- Code-Review -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The real root cause of nextgen- hypatia staying at 0-jobs* — and an apology: this is the fix that should have come first.
A job that calls a reusable workflow (
jobs.<id>.uses:) may not declaretimeout-minutes— it's only valid on normal (runs-on+steps) jobs. With it present, GitHub rejects the whole file as invalid:An unparseable workflow produces a run with 0 jobs — at every pin, regardless of permissions or repo settings. That's why nextgen-typing/nextgen-languages never moved off 0-jobs while eclexia/Axiom (which never had
timeout-minuteson the caller) worked once repinned. The earlier "stale pin /actions: read/ repo-settings" theories were all downstream of this parse failure.Fix: remove
timeout-minutesfrom the caller job. The reusable enforces its own per-job timeout (timeout-minutes: 20insidehypatia-scan-reusable.yml), so nothing is lost.Validated:
workflow_dispatchon this branch now returns204 queued(previously422 failed to parse) — GitHub accepts the file and scheduled a real run. Builds on the merged #64 (repin +actions: read), which remain correct and necessary. (nextgen-typing also has its own inline "Hypatia neurosymbolic scan", unaffected.)🤖 Generated with Claude Code
https://claude.ai/code/session_01PWMMxryCcPrAjJ8tuGvygG
Generated by Claude Code