Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 3 additions & 21 deletions .github/workflows/governance.yml
Original file line number Diff line number Diff line change
@@ -1,34 +1,16 @@
# SPDX-License-Identifier: MPL-2.0
# governance.yml β€” single wrapper calling the shared estate governance bundle
# in hyperpolymath/standards instead of carrying per-repo copies.
#
# Replaces the per-repo governance scaffolding removed in the same commit:
# quality.yml, guix-nix-policy.yml, npm-bun-blocker.yml, ts-blocker.yml,
# security-policy.yml, rsr-antipattern.yml, wellknown-enforcement.yml,
# workflow-linter.yml
#
# Load-bearing build/security workflows stay standalone in the repo
# (rust-ci, codeql, dependabot, release, scan/mirror/pages plumbing).

# SPDX-License-Identifier: PMPL-1.0-or-later
name: Governance

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:

# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
# updates do not pile up queued runs against the shared account-wide
# Actions concurrency pool. Applied only to read-only check workflows
# (no publish/mutation), so cancelling a superseded run is always safe.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
governance:
uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main
uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910
18 changes: 4 additions & 14 deletions .github/workflows/hypatia-scan.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
# SPDX-License-Identifier: MPL-2.0
# Thin wrapper around hyperpolymath/standards hypatia-scan-reusable.yml.
# See standards#191 for the reusable's purpose and design.

# SPDX-License-Identifier: PMPL-1.0-or-later
name: Hypatia Security Scan

on:
Expand All @@ -13,17 +10,10 @@ on:
- cron: '0 0 * * 0'
workflow_dispatch:

# Estate guardrail: cancel superseded runs so re-pushes don't pile up.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
security-events: write
pull-requests: write
security-events: read

jobs:
hypatia:
uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@5eb28d7d8790d5389b7b6a5233fe6265a775e3d0
secrets: inherit
scan:
uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910
83 changes: 0 additions & 83 deletions .github/workflows/scorecard-enforcer.yml

This file was deleted.

23 changes: 10 additions & 13 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,16 @@
# SPDX-License-Identifier: MPL-2.0
name: Scorecards supply-chain security
# SPDX-License-Identifier: PMPL-1.0-or-later
name: OSSF Scorecard

on:
branch_protection_rule:
schedule:
- cron: '23 4 * * 1'
push:
branches: [main]
branches: [main, master]
schedule:
- cron: '0 4 * * *'
workflow_dispatch:

permissions: read-all
permissions:
contents: read

jobs:
analysis:
permissions:
security-events: write
id-token: write
uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef
secrets: inherit
scorecard:
uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910
8 changes: 7 additions & 1 deletion src/assail/analyzer.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1043,7 +1043,13 @@ impl Analyzer {
line: None,
category: WeakPointCategory::UnboundedAllocation,
location: Some(file_path.to_string()),
severity: Severity::Critical,
// Heuristic keyword match ("potential pattern"), not a
// confirmed vulnerability: at Critical this one matcher was
// ~70% of all estate Criticals (2026-06-11 estate-loop
// audit), drowning confirmed findings. Medium reflects its
// confirmation strength; hypatia's ingest applies the same
// cap for scans produced by older binaries.
severity: Severity::Medium,
description: format!(
"Potential unbounded allocation pattern detected in {}",
file_path
Expand Down
Loading