fix(security): pin governance reusable to SHA, migrate stale PMPL-1.0 headers, tighten dispatch gate#31
Merged
Conversation
… headers, tighten dispatch gate Follow-ups to #30 (which merged before these could be appended): - governance.yml: pin governance-reusable.yml@main -> @e0caf11508a3989574713c78f5f444f2ce5e33ef (the standards commit scorecard.yml already trusts). Clears the DependencyPinning finding. - License: migrate the remaining stale PMPL-1.0 SPDX headers to MPL-2.0 on codeql.yml, scorecard.yml and secret-scanner.yml (leftovers from the repo's PMPL-1.0 -> MPL-2.0 migration). No docs carried stale SPDX headers, so CC-BY-SA-4.0 had no targets this pass. - instant-sync.yml: the repository-dispatch action now consumes the gated env var (token: env.FARM_DISPATCH_TOKEN) instead of secrets directly, so the presence gate and the secret consumption reference the same identifier - helping workflow_audit recognise the gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5
🔍 Hypatia Security ScanFindings: 11 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/wokelangiser/wokelangiser/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/wokelangiser/wokelangiser/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in wokelangiser: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/wokelangiser/wokelangiser",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in wokelangiser",
"type": "DependencyPinning",
"file": "/home/runner/work/wokelangiser/wokelangiser",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
},
{
"reason": "Repository has 10 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/secret_action_without_presence_gate -- Hypatia workflow_audit: secret_action_without_presence_gate -- 20 day(s) old [STALE]",
"type": "CSA001",
"file": "instant-sync.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/scorecard_publish_with_run_step -- Hypatia workflow_audit: scorecard_publish_with_run_step -- 20 day(s) old [STALE]",
"type": "CSA001",
"file": "scorecard-enforcer.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code-scanning alert hypatia/workflow_audit/secret_action_without_presence_gate (high) at instant-sync.yml is 20 days old (threshold: 7 days) -- overdue for remediation",
"type": "CSA003",
"file": "instant-sync.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code-scanning alert hypatia/workflow_audit/scorecard_publish_with_run_step (high) at scorecard-enforcer.yml is 20 days old (threshold: 7 days) -- overdue for remediation",
"type": "CSA003",
"file": "scorecard-enforcer.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
The e0caf115 pin (the SHA scorecard.yml uses) broke 'governance / Language / package anti-pattern policy': that older governance-reusable.yml version checks out hyperpolymath/standards at the CALLER's commit (github.sha = the wokelangiser PR merge commit), which doesn't exist in standards -> 'fatal: remote error: upload-pack: not our ref'. The @main version doesn't have this bug, so revert restores green CI. DependencyPinning stays open until a current standards@main SHA (with the fix) is available; standards is out of this session's scope. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5
🔍 Hypatia Security ScanFindings: 11 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/wokelangiser/wokelangiser/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/wokelangiser/wokelangiser/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in wokelangiser: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/wokelangiser/wokelangiser",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in wokelangiser",
"type": "DependencyPinning",
"file": "/home/runner/work/wokelangiser/wokelangiser",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
},
{
"reason": "Repository has 10 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/secret_action_without_presence_gate -- Hypatia workflow_audit: secret_action_without_presence_gate -- 20 day(s) old [STALE]",
"type": "CSA001",
"file": "instant-sync.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/scorecard_publish_with_run_step -- Hypatia workflow_audit: scorecard_publish_with_run_step -- 20 day(s) old [STALE]",
"type": "CSA001",
"file": "scorecard-enforcer.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code-scanning alert hypatia/workflow_audit/secret_action_without_presence_gate (high) at instant-sync.yml is 20 days old (threshold: 7 days) -- overdue for remediation",
"type": "CSA003",
"file": "instant-sync.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code-scanning alert hypatia/workflow_audit/scorecard_publish_with_run_step (high) at scorecard-enforcer.yml is 20 days old (threshold: 7 days) -- overdue for remediation",
"type": "CSA003",
"file": "scorecard-enforcer.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 20, 2026
Pins governance.yml's reusable-workflow ref from the moving @main to the commit it currently resolves to, 78b29005efe954822c86c553b40523b9fdae78d4 (read from the passing run's referenced_workflows metadata). Clears the OpenSSF Pinned-Dependencies / DependencyPinning finding. This is the CURRENT, fixed standards bundle (identical to what has been passing as @main) -- not the broken e0caf115 commit #31 had to revert (that older version checked out standards at the caller's SHA). Trade-off: governance no longer auto-tracks standards@main; bump this SHA when the standards bundle updates. Claude-Session: https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5 Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-ups to #30. Net effect: 2 hardening fixes — the governance SHA-pin was attempted but reverted (see below).
Changes (
4 files, +4/-4)PMPL-1.0SPDX headers toMPL-2.0oncodeql.yml,scorecard.yml,secret-scanner.yml(leftovers from the repo's PMPL-1.0 → MPL-2.0 migration). No docs carried stale SPDX headers, so CC-BY-SA-4.0 had no targets this pass.instant-sync.yml— therepository-dispatchaction now consumes the gatedenvvar (token: ${{ env.FARM_DISPATCH_TOKEN }}) so the presence-gateif:and the secret consumption reference the same identifier. ✅ This cleared the livesecret_action_without_presence_gatefinding (fix(security): scorecard job permissions, dispatch secret-gate, .envrc placeholder #30's env-mapped form was functionally correct, but Hypatia hadn't linked it to the secret).Reverted: governance SHA-pin
I pinned
governance.yml'sgovernance-reusable.yml@main→@e0caf115(the SHAscorecard.ymltrusts), but CI proved that commit is broken: itsLanguage / package anti-pattern policyjob checks outhyperpolymath/standardsat the caller'sgithub.sha(the wokelangiser PR merge commit), which doesn't exist instandards→fatal: remote error: upload-pack: not our ref. The@mainversion fixed this bug. Reverted to@mainto keep CI green.DependencyPinningtherefore stays open. A proper pin needs the currentstandards@mainSHA (which contains the fix);standardsis out of this session's read scope. Paste that SHA and I'll apply it.🤖 Generated with Claude Code
https://claude.ai/code/session_01Y2MWTAqX2x7goVJzjFB4j5