From 3708ab2ecda11465e8fd4fd92c9af8584b0b4cec Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 21 Jun 2026 14:19:10 +0000 Subject: [PATCH] docs(audits): record central actions/cache SHA corruption + #394 repair MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Diagnose-and-record audit for the estate-wide `scan / Hypatia Neurosymbolic Analysis` failure (2026-06-20/21): Unable to resolve action actions/cache@d4373f267a887d77f9eb0683a479ec60b1fe5b2b Root cause: the corrupt SHA (a corruption of v4.2.2's d4323d4…) was pinned centrally in the two reusable workflows (hypatia-scan-reusable.yml, governance-reusable.yml) — zero consumer workflows carried it. Already repaired and merged in standards#394 (d72fe5a): re-pinned to the genuine v4.2.0 commit 1bd1e32a…, verified against upstream `git ls-remote`. The audit also documents the propagation caveat (consumers pin reusables by standards SHA, so the post-#394 "Check Workflow Staleness" red is expected drift pending gitbot-fleet enroll-repos re-pin to d72fe5a+) and records two out-of-scope nextgen-databases findings (K9 pedigree missing metadata.name; trusted-base reduction policy red). Adds .adoc + .a2ml companion, mirroring audit-hypatia-pin-orphan-2026-05-27. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_0144t85ipupFBhd9eJ8t9vaC --- ...patia-cache-sha-corruption-2026-06-21.a2ml | 74 ++++++++++ ...patia-cache-sha-corruption-2026-06-21.adoc | 134 ++++++++++++++++++ 2 files changed, 208 insertions(+) create mode 100644 docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.a2ml create mode 100644 docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.adoc diff --git a/docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.a2ml b/docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.a2ml new file mode 100644 index 00000000..d45eb98e --- /dev/null +++ b/docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.a2ml @@ -0,0 +1,74 @@ +# SPDX-License-Identifier: MPL-2.0 +# Central Reusable actions/cache SHA Corruption — 2026-06-21 +# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) +# +# Machine-readable companion to audit-hypatia-cache-sha-corruption-2026-06-21.adoc. +# Sibling to audit-hypatia-pin-orphan-2026-05-27.a2ml (a different SHA-pin class). + +[manifest] +schema = "audit/action-sha-corruption/v1" +date = "2026-06-21" +campaign_kind = "central_reusable_action_repin" +human_companion = "audit-hypatia-cache-sha-corruption-2026-06-21.adoc" +sibling_audit = "audit-hypatia-pin-orphan-2026-05-27.a2ml" +umbrella_issue = "hyperpolymath/hypatia#464" +out_of_scope_central_ref = "hyperpolymath/nextgen-typing#69" + +[diagnosis] +failure_class = "third_party_action_pin_unresolved_in_central_reusable" +failure_stage = "Prepare all required actions" +failure_banner = "Unable to resolve action actions/cache@d4373f267a887d77f9eb0683a479ec60b1fe5b2b" +corrupt_sha = "d4373f267a887d77f9eb0683a479ec60b1fe5b2b" +corrupt_sha_comment = "# v4.2.0" +likely_source = "corruption of v4.2.2 commit d4323d4df104b026a6aa633fdb11d772146be0bf" +location = "central only — zero consumer workflows carry the SHA" +affected_reusables = [ + ".github/workflows/hypatia-scan-reusable.yml", + ".github/workflows/governance-reusable.yml", +] +observed_failing = ["nextgen-databases#41", "KnotTheory.jl#29", "nextgen-typing#67", "wokelangiser"] + +[verification] +method = "git ls-remote https://github.com/actions/cache" +corrupt_sha_resolves = false +repair_pin = "1bd1e32a3bdc45362d1e726936510720a7c30a57" +repair_pin_ref = "refs/tags/v4.2.0" +known_good_v4 = "0057852bfaa89a56745cba8c7296529d2fc39830" # refs/tags/v4 + v4.3.0 +known_good_v5 = "27d5ce7f107fe9357f9df03efb73ab90386fccae" # main + v5 + v5.0.5 +grep_after_fix = "zero matches for d4373f… across standards + hypatia" + +[fix] +pr = "hyperpolymath/standards#394" +merged_at = "2026-06-21T10:52:13Z" +merge_commit = "d72fe5a14e841ac6d78514b53624b6173038ee20" +change = "actions/cache@d4373f… -> actions/cache@1bd1e32a… (# v4.2.0 preserved, now accurate)" +status = "MERGED to standards/main — central root cause resolved + verified" + +[propagation] +caveat = "necessary but not sufficient: consumers pin reusables by standards commit SHA, not @main" +consumer_pin_hypatia = "5eb28d7d8790d5389b7b6a5233fe6265a775e3d0" +consumer_pin_most_repos = "861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613" +staleness_check = "scripts/check-workflow-staleness.sh fails any consumer whose pinned SHA != current standards HEAD" +staleness_red_meaning = "expected drift after #394, not a new defect — signals pending re-enrollment" +re_enroll_target = "d72fe5a (or later standards HEAD)" +re_enroll_tool = "gitbot-fleet enroll-repos" +re_enroll_scope = "out_of_scope (consumer repos + gitbot-fleet are not standards/hypatia)" + +[companion_findings_nextgen_databases.k9_pedigree] +file = "verisimdb/connectors/test-infra/deploy.k9.ncl" +error = "Pedigree block missing 'name'" +schema_ref = "k9-svc/pedigree.ncl Metadata.name (String, no default -> mandatory)" +sample_ref = "k9-svc/pandoc/container/deploy.k9.ncl" +fix = "add metadata.name; ideally metadata.version + validation.pedigree_version + trust_level/security_level ('Kennel|'Yard|'Hunt)" +scope = "out_of_scope (nextgen-databases repo-internal, pre-existing)" + +[companion_findings_nextgen_databases.trusted_base] +check = "governance / trusted-base" +policy_ref = "docs/TRUSTED-BASE-REDUCTION-POLICY.adoc + scripts/check-trusted-base.sh" +cause = "undocumented soundness-relevant escape hatch in a proof-bearing file" +fix = "discharge / budget / axiom / dated-debt entry in nextgen-databases docs/proof-debt.md" +scope = "out_of_scope (nextgen-databases repo-internal, pre-existing)" + +[not_discharged] +consumer_re_enrollment = "gitbot-fleet enroll-repos repin of consumers to d72fe5a+ — tracked on hypatia#464" +nextgen_databases_internal = "K9 pedigree + trusted-base — repo-internal, flagged via hypatia#464 / nextgen-typing#69" diff --git a/docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.adoc b/docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.adoc new file mode 100644 index 00000000..f86450fd --- /dev/null +++ b/docs/audits/audit-hypatia-cache-sha-corruption-2026-06-21.adoc @@ -0,0 +1,134 @@ +// SPDX-License-Identifier: CC-BY-SA-4.0 +// SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell (hyperpolymath) + += Central Reusable actions/cache SHA Corruption — 2026-06-21 +:toc: +:toclevels: 2 +:source-highlighter: rouge +:icons: font + +Companion machine-readable manifest: `audit-hypatia-cache-sha-corruption-2026-06-21.a2ml`. +Sibling to `audit-hypatia-pin-orphan-2026-05-27.adoc` — a *different* SHA-pin +failure class on the same two reusables (that one was the orphaned +`@` reference to the reusable; this one is a corrupt +third-party action SHA *inside* the reusable). + +== Summary + +From 2026-06-20/21 the estate-wide `scan / Hypatia Neurosymbolic Analysis` +job failed at the *"Prepare all required actions"* stage — before any scan +step ran — with: + +---- +Unable to resolve action `actions/cache@d4373f267a887d77f9eb0683a479ec60b1fe5b2b` +(unable to find version d4373f267a887d77f9eb0683a479ec60b1fe5b2b) +---- + +The corrupt SHA was **not** present in any consumer workflow. It was pinned +once, centrally, in the two reusable workflows that every estate repo calls: + +* `.github/workflows/hypatia-scan-reusable.yml` +* `.github/workflows/governance-reusable.yml` + +Observed failing on `nextgen-databases#41`, `KnotTheory.jl#29`, +`nextgen-typing#67` (and, per PR #394, `wokelangiser`). + +== Root cause + +`d4373f267a887d77f9eb0683a479ec60b1fe5b2b` does not correspond to any +`actions/cache` ref. It is a corruption of v4.2.2's real commit +`d4323d4df104b026a6aa633fdb11d772146be0bf` — the version comment read +`# v4.2.0`, but the hash matched neither v4.2.0 nor v4.2.2. GitHub Actions +resolves a `uses:` SHA as a commit; an unknown SHA fails the whole job at +parse stage, so no consumer scan ever started. + +== Verification + +Upstream resolution via `git ls-remote https://github.com/actions/cache`: + +[cols="2,3,1", options="header"] +|=== +| SHA | Upstream ref | Resolves? + +| `d4373f26…` (the corrupt pin) | (none) | ✗ bogus +| `d4323d4d…` (v4.2.2 — the likely typo source) | `refs/tags/v4.2.2` | ✓ +| `1bd1e32a…` (the repair pin) | `refs/tags/v4.2.0` | ✓ +| `0057852b…` (estate "most common") | `refs/tags/v4` + `v4.3.0` | ✓ +| `27d5ce7f…` (estate, used across hypatia) | `main` + `v5` + `v5.0.5` | ✓ +|=== + +`git grep d4373f267a887d77f9eb0683a479ec60b1fe5b2b` across standards and +hypatia → zero matches after the fix. + +== Fix — standards#394 (merged 2026-06-21T10:52Z, commit `d72fe5a`) + +Both reusables re-pinned, preserving the documented version: + +[source,diff] +---- +- uses: actions/cache@d4373f267a887d77f9eb0683a479ec60b1fe5b2b # v4.2.0 ++ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 +---- + +`1bd1e32a…` is the genuine immutable `v4.2.0` commit, so the `# v4.2.0` +comment is now accurate. This is a surgical hash repair, not a version bump +to the moving `v4` tag. + +== Propagation caveat — necessary but not yet sufficient + +Consumers do **not** pin these reusables to `@main`. They pin a specific +`standards` commit SHA, e.g.: + +---- +uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@5eb28d7d… (hypatia itself) +uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e91… (most consumers) +---- + +Because the repair landed as a *new* `standards` HEAD (`d72fe5a`), every +consumer still pinned at a pre-#394 SHA keeps dereferencing the broken cache +pin until it is re-enrolled to a post-#394 SHA. This is exactly what +`scripts/check-workflow-staleness.sh` reports — it fails any consumer whose +pinned SHA != current standards HEAD ("Workflow pins Hypatia reusable before +cache/baseline-delay fix. Refresh to current standards SHA."). + +Therefore the post-#394 `governance / Check Workflow Staleness` red is +**expected drift**, not a new defect: it is the signal that the estate +re-enrollment pass (gitbot-fleet `enroll-repos`, repinning consumers to +`d72fe5a` or later) is still pending. Re-enrollment is the propagation +mechanism; until it runs, an affected consumer sees both the cache failure +(if its pinned SHA predates #394) and the staleness failure. + +== Companion findings — out of scope (central), recorded for the backlog + +These surfaced on `nextgen-databases` alongside the central failure. They are +**repo-internal**, pre-existing, and not addressed by #394: + +. *K9 pedigree validation.* `verisimdb/connectors/test-infra/deploy.k9.ncl` + fails "Pedigree block missing 'name'". In `k9-svc/pedigree.ncl`, + `Metadata.name | String` is the only metadata field with no `default`, so + it is mandatory. Fix: add `metadata.name`; per the canonical + `k9-svc/pandoc/container/deploy.k9.ncl` sample, ideally also + `metadata.version` + `validation.pedigree_version` and a leash level — + `trust_level`/`security_level` ∈ `'Kennel | 'Yard | 'Hunt` (a + shell-running `deploy.k9.ncl` is `'Hunt`). +. *Trusted-base reduction policy.* The `governance / trusted-base` job (per + `docs/TRUSTED-BASE-REDUCTION-POLICY.adoc` + `scripts/check-trusted-base.sh`) + is red: a soundness-relevant escape hatch in a proof-bearing file in + `nextgen-databases` is undocumented. Disposition is per-repo — discharge, + budget (`// TRUSTED:`), axiom (`// AXIOM:`), or a dated debt entry in that + repo's `docs/proof-debt.md`. + +== What this audit does NOT discharge + +* The consumer re-enrollment pass (gitbot-fleet `enroll-repos` → repin + consumers to `d72fe5a`+). Out of scope for standards + hypatia; tracked on + hypatia#464. +* The two `nextgen-databases` repo-internal findings above. Out of scope + (that repo); flagged for its maintainers via hypatia#464 / nextgen-typing#69. + +== Cross-references + +* Fix PR: `hyperpolymath/standards#394` (merged 2026-06-21). +* Estate CI-health umbrella: `hyperpolymath/hypatia#464`. +* "Out of scope — central" list: `hyperpolymath/nextgen-typing#69`. +* Sibling SHA-pin audit: `audit-hypatia-pin-orphan-2026-05-27.adoc`.