Skip to content

CI governance: retire scorecard-enforcer.yml + keep Scorecard out of Code Scanning + refresh standards pins #169

Description

@hyperpolymath

Summary

The governance / Check Workflow Staleness job fails on verisimiser (seen on PR #167, run 28286708330). This is pre-existing repo/CI hygiene — unrelated to the provable.yml slice — surfaced here for triage on the master scheduler. It is very likely estate-wide (every -iser repo inherits the same standards-governance workflows).

What the check reports (verbatim)

ERROR: scorecard-enforcer.yml is retired. Use scorecard.yml -> standards scorecard-reusable.yml instead.
ERROR: OSSF Scorecard must not upload SARIF to GitHub Code Scanning unless it runs for every PR head commit.
ERROR: Remove legacy scorecard-enforcer.yml, refresh out-of-window standards reusable pins toward a recent commit, and keep Scorecard out of GitHub Code Scanning unless it runs for every PR head commit.
NOTICE: hypatia-scan-reusable.yml pin d135b05bfc64 is 17 commit(s) / 2d behind standards HEAD — within window (<=50 commits or <=14d). Bump deliberately with scripts/propagate-workflow-pins.sh when convenient.
NOTICE: scorecard-reusable.yml pin d135b05bfc64 is 17 commit(s) / 2d behind standards HEAD — within window.

Staleness check ran against standards SHA 583a9346ebf28e0fd8114f22aef140eaa1be4ac0.

Proposed actions

  • Remove the retired .github/workflows/scorecard-enforcer.yml.
  • Ensure .github/workflows/scorecard.yml delegates to the standards scorecard-reusable.yml and does not upload SARIF to GitHub Code Scanning unless it runs for every PR head commit.
  • Refresh the out-of-window standards reusable pins toward a recent commit (the pins are within the recency window today, so this is "when convenient") via scripts/propagate-workflow-pins.sh.

Scope note

Per the estate license/governance policy this is FLAG-and-triage, not an automated sweep. If the same scorecard-enforcer.yml/pins pattern recurs across the -iser family, consider an umbrella tracking issue in hyperpolymath/standards rather than per-repo fixes.


Filed from a Claude Code cloud session as a follow-up to PR #167 (merged). Surfaced for the master scheduler.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions