From f2bff55b71d470077d737f198d15dc1607e37ef7 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 27 Jun 2026 12:03:29 +0100 Subject: [PATCH 1/3] ci: re-pin hypatia-scan reusable to standards HEAD d7c2271 (hypatia#464) --- .github/workflows/hypatia-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index 5a9f3bd04..bc2d36659 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -21,6 +21,6 @@ permissions: pull-requests: write jobs: hypatia: - uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236 + uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@d7c22711e830e1f383846472f6e9b99debdb201e timeout-minutes: 10 - secrets: inherit + secrets: inherit \ No newline at end of file From df0cfce904bda4eb206888fdb057e2f8d5a3cbe0 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 27 Jun 2026 12:03:31 +0100 Subject: [PATCH 2/3] ci: re-pin governance reusable to standards HEAD d7c2271 (hypatia#464) --- .github/workflows/governance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index cc140118d..57504465d 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -27,4 +27,4 @@ permissions: contents: read jobs: governance: - uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236 + uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@d7c22711e830e1f383846472f6e9b99debdb201e \ No newline at end of file From 6e7ab40d05431afdd5b096262426213bfcf76686 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 27 Jun 2026 12:03:33 +0100 Subject: [PATCH 3/3] ci: remove retired scorecard-enforcer.yml (hypatia#464) --- .github/workflows/scorecard-enforcer.yml | 96 ------------------------ 1 file changed, 96 deletions(-) delete mode 100644 .github/workflows/scorecard-enforcer.yml diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml deleted file mode 100644 index a6d65c5dc..000000000 --- a/.github/workflows/scorecard-enforcer.yml +++ /dev/null @@ -1,96 +0,0 @@ -# SPDX-License-Identifier: MPL-2.0 -# Prevention workflow - runs OpenSSF Scorecard and fails on low scores -name: OpenSSF Scorecard Enforcer -on: - push: - branches: [main] - schedule: - - cron: '0 6 * * 1' # Weekly on Monday - workflow_dispatch: -# Estate guardrail: cancel superseded runs so re-pushes / rebased PR -# updates do not pile up queued runs against the shared account-wide -# Actions concurrency pool. Applied only to read-only check workflows -# (no publish/mutation), so cancelling a superseded run is always safe. -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true -permissions: - contents: read -jobs: - # The OSSF Scorecard publish endpoint enforces a hard contract: the job that - # runs `ossf/scorecard-action` with `publish_results: true` must contain - # ONLY steps with `uses:` (no `run:` steps in the same job). If a `run:` - # step is present, the publish step fails with: - # "webapp: scorecard job must only have steps with uses" - # (49 estate repos hit this; see ROADMAP audit 2026-05-30.) - # - # Fix: split the threshold check into a downstream job that depends on - # `scorecard` and consumes the SARIF artifact. The `scorecard` job stays - # uses-only; `check-score` is the gating job that emits the error. - scorecard: - runs-on: ubuntu-latest - permissions: - security-events: write - id-token: write # For OIDC - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - name: Run Scorecard - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - publish_results: true - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 - with: - sarif_file: results.sarif - - name: Persist SARIF for downstream score-gate job - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: scorecard-results - path: results.sarif - retention-days: 1 - check-score: - needs: scorecard - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Download SARIF from scorecard job - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5.0.0 - with: - name: scorecard-results - - name: Check minimum score - run: | - SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0") - - echo "OpenSSF Scorecard Score: $SCORE" - - # Minimum acceptable score (0-10 scale) - MIN_SCORE=5 - - if [ "$(echo "$SCORE < $MIN_SCORE" | bc -l)" = "1" ]; then - echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE" - exit 1 - fi - # Check specific high-priority items - check-critical: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - name: Check SECURITY.md exists - run: | - if [ ! -f "SECURITY.md" ]; then - echo "::error::SECURITY.md is required" - exit 1 - fi - - name: Check for pinned dependencies - run: | - # Check workflows for unpinned actions - unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true) - if [ -n "$unpinned" ]; then - echo "::warning::Found unpinned actions:" - echo "$unpinned" - fi