Skip to content

Commit 2711ce4

Browse files
fix(ci): Phase-2 fleet submission must not fail the security gate (#52)
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 5f9f712 commit 2711ce4

1 file changed

Lines changed: 55 additions & 7 deletions

File tree

.github/workflows/hypatia-scan.yml

Lines changed: 55 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -90,25 +90,73 @@ jobs:
9090

9191
- name: Submit findings to gitbot-fleet (Phase 2)
9292
if: steps.scan.outputs.findings_count > 0
93+
# Phase 2 is the collaborative LEARNING side-channel ("bots share
94+
# findings via gitbot-fleet"), not the security gate. The gate is
95+
# the baseline-aware "Check for critical or high-severity issues"
96+
# step below. A fleet-side regression (e.g. the submit script being
97+
# moved/removed) must NEVER hard-fail every consuming repo's scan.
98+
# Same reasoning as the "Comment on PR with findings" step.
99+
# See hyperpolymath/hypatia#213 (gate decoupling) and the exit-127
100+
# estate-wide breakage when gitbot-fleet/scripts/submit-finding.sh
101+
# no longer existed on the default branch.
102+
continue-on-error: true
93103
env:
104+
# All GitHub context values surface as env vars so the run
105+
# block never interpolates `${{ … }}` inline (closes the
106+
# workflow_audit/unsafe_curl_payload + actions_expression_injection
107+
# findings).
94108
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
109+
FLEET_PUSH_TOKEN: ${{ secrets.HYPATIA_DISPATCH_PAT }}
110+
FLEET_DISPATCH_TOKEN: ${{ secrets.HYPATIA_DISPATCH_PAT }}
95111
GITHUB_REPOSITORY: ${{ github.repository }}
96112
GITHUB_SHA: ${{ github.sha }}
113+
FINDINGS_COUNT: ${{ steps.scan.outputs.findings_count }}
97114
run: |
98-
echo "📤 Submitting ${{ steps.scan.outputs.findings_count }} findings to gitbot-fleet..."
115+
echo "📤 Submitting $FINDINGS_COUNT findings to gitbot-fleet..."
99116
100-
# Clone gitbot-fleet to temp directory
117+
# Clone gitbot-fleet to temp directory. A clone failure (network,
118+
# repo gone) is non-fatal: learning submission is best-effort.
101119
FLEET_DIR="/tmp/gitbot-fleet-$$"
102-
git clone https://github.com/hyperpolymath/gitbot-fleet.git "$FLEET_DIR"
120+
if ! git clone --depth 1 https://github.com/hyperpolymath/gitbot-fleet.git "$FLEET_DIR"; then
121+
echo "::warning::Could not clone gitbot-fleet — skipping Phase 2 learning submission (non-fatal)."
122+
exit 0
123+
fi
103124
104-
# Run submission script
105-
bash "$FLEET_DIR/scripts/submit-finding.sh" hypatia-findings.json
125+
# The submission script's location in gitbot-fleet has drifted
126+
# before (it was absent from the default branch, which exit-127'd
127+
# every consuming repo's scan). Probe known locations rather than
128+
# hard-coding one path, and skip gracefully if none is present.
129+
SUBMIT_SCRIPT=""
130+
for cand in \
131+
"$FLEET_DIR/scripts/submit-finding.sh" \
132+
"$FLEET_DIR/scripts/submit_finding.sh" \
133+
"$FLEET_DIR/bin/submit-finding.sh" \
134+
"$FLEET_DIR/submit-finding.sh"; do
135+
if [ -f "$cand" ]; then
136+
SUBMIT_SCRIPT="$cand"
137+
break
138+
fi
139+
done
140+
141+
if [ -z "$SUBMIT_SCRIPT" ]; then
142+
echo "::warning::gitbot-fleet submit-finding script not found at any known path — skipping Phase 2 learning submission (non-fatal). Findings are still uploaded as an artifact and gated below."
143+
rm -rf "$FLEET_DIR"
144+
exit 0
145+
fi
146+
147+
# Run submission script. Pass the findings path as ABSOLUTE —
148+
# the script cd's into its own working dir before reading the
149+
# file, so a relative path would resolve to the wrong place.
150+
# A submission-script failure is logged but non-fatal.
151+
if bash "$SUBMIT_SCRIPT" "$GITHUB_WORKSPACE/hypatia-findings.json"; then
152+
echo "✅ Finding submission complete"
153+
else
154+
echo "::warning::gitbot-fleet submission script exited non-zero — Phase 2 learning submission skipped (non-fatal)."
155+
fi
106156
107157
# Cleanup
108158
rm -rf "$FLEET_DIR"
109159
110-
echo "✅ Finding submission complete"
111-
112160
- name: Check for critical issues
113161
if: steps.scan.outputs.critical > 0
114162
run: |

0 commit comments

Comments
 (0)