CI: repair broken hyperpolymath/standards@5a93d9d pin (Hypatia / OSSF Scorecard / Rust CI)

[hyperpolymath]

Problem

Three CI workflows fail on every push/PR because they pin a broken upstream reusable workflow:

• Hypatia Security Scan, OSSF Scorecard, and Rust CI all pin hyperpolymath/standards@5a93d9d57cc04de4002d6d0ecd336fc7a8698910.
• The Hypatia reusable at that SHA references an unresolvable actions/cache@d4373f267a887d77f9eb0683a479ec60b1fe5b2b:

  ##[error]Unable to resolve action `actions/cache@d4373f...`, unable to find version
  

  The job dies at "Prepare all required actions" before doing any work.

The repo's other Hypatia job ("Hypatia neurosymbolic scan") still passes, so analysis coverage is retained.

Fix (two steps, two repos)

1. In hyperpolymath/standards (out of this repo's scope): repair the actions/cache pin in the reusable workflow(s) — replace the bad SHA with a valid actions/cache v4 SHA (the estate already uses 0057852bfaa89a56745cba8c7296529d2fc39830 in casket-pages.yml).
2. Here: once standards has a fixed commit, bump the consumer pins in .github/workflows/hypatia-scan.yml, governance.yml, and scorecard.yml from 5a93d9d to the fixed SHA.

Out of scope (separate, expected)

• dogfood-gate, GitHub Pages — fail/cancel as expected for a scaffold; not blocking.
• Instant Sync — fails on a missing/expired FARM_DISPATCH_TOKEN secret (set the secret or ignore).

[hyperpolymath]

Update — pin/staleness half resolved via #41.

PR #41 refreshed the three out-of-window pins 5a93d9d → standards HEAD 09e7023d24682621bea4e11965a1ef5e87d86c3b (merged). Result:

• ✅ governance / Check Workflow Staleness now passes.
• ✅ actions/cache infra error gone — standards HEAD carries a valid pin (1bd1e32a), so the Hypatia reusable now executes instead of dying at action-resolution.

Remaining (separate from this pin):

• ⚠️ Hypatia now content-fails: 3 findings >= medium (critical=0, high=1, medium=2) → exit 1. The 2 medium are likely GS007 (branch count — being pruned now) + DependencyPinning (known false positive). The 1 high is new and needs triage (findings go to hypatia-findings.json, not the job log).
• ⚠️ Rust CI pins a different SHA (cc5a372a, rust-ci-reusable.yml), not 5a93d9d — its failure is unrelated to this pin and still open; needs its own look.

Recommend splitting follow-ups for (a) the 1 high Hypatia finding and (b) the Rust CI pin.

---

Generated by Claude Code

[hyperpolymath]

Rust CI diagnosis (from #42).

Bumping rust-ci's pin cc5a372a → 09e7023d (standards HEAD) cleared the old "0 jobs" silent failure — the reusable now runs — but Rust CI can't be greened from this repo:

• Omit toolchain → inner dtolnay/rust-toolchain fails: "'toolchain' is a required input."
• Pass with: { toolchain: stable } → startup_failure: toolchain is not a declared input of rust-ci-reusable.yml@09e7023d.

No caller value satisfies both, so the HEAD rust-ci-reusable.yml has a broken toolchain contract. Fix belongs in hyperpolymath/standards — declare + forward a toolchain input (with a default), or hardcode a channel in the reusable. #42 keeps wokelangiser's pin aligned with #41; Rust CI stays red until that upstream fix.

---

Generated by Claude Code