1010 schedule :
1111 - cron : ' 0 0 * * 0' # Weekly on Sunday
1212 workflow_dispatch :
13+ # Estate guardrail: cancel superseded runs so re-pushes don't pile up
14+ # queued runs across the estate. Safe here because this workflow only
15+ # performs read-only checks/lint/test/scan with no publish or mutation.
16+ concurrency :
17+ group : ${{ github.workflow }}-${{ github.ref }}
18+ cancel-in-progress : true
1319
1420permissions :
1521 contents : read
1622 # security-events: read lets the built-in GITHUB_TOKEN query this
17- # repo\'s own Dependabot alerts via the Hypatia DependabotAlerts rule.
23+ # repo's own Dependabot alerts via the Hypatia DependabotAlerts rule
24+ # (DA001-DA004). Without this, `scan_from_path` gets HTTP 403 and
25+ # the rule silently returns no findings.
26+ # See 007-lang/audits/audit-dependabot-automation-gap-2026-04-17.md.
1827 security-events : read
28+ # pull-requests: write lets the advisory "Comment on PR with findings"
29+ # step post its summary. Without it the built-in GITHUB_TOKEN gets
30+ # "Resource not accessible by integration" and (absent continue-on-error)
31+ # hard-fails the scan — exactly what the gate-decoupling design forbids.
32+ pull-requests : write
1933
2034jobs :
2135 scan :
2438
2539 steps :
2640 - name : Checkout repository
27- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
41+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2842 with :
2943 fetch-depth : 0 # Full history for better pattern analysis
3044
@@ -41,26 +55,27 @@ jobs:
4155 fi
4256
4357name : Build Hypatia scanner (if needed)
44- working-directory : /home/runner/hypatia
4558 run : |
46- if [ ! -f hypatia-v2 ]; then
47- echo "Building hypatia-v2 scanner..."
48- cd scanner
59+ cd "$HOME/ hypatia"
60+ if [ ! -f hypatia ]; then
61+ echo "Building hypatia scanner..."
4962 mix deps.get
5063 mix escript.build
51- mv hypatia ../hypatia-v2
5264 fi
5365
5466name : Run Hypatia scan
5567 id : scan
5668 env :
57- # Suppress the Dependabot "GITHUB_TOKEN not set" warning.
69+ # Pass the built-in Actions token through to Hypatia so the
70+ # DependabotAlerts rule can query this repo's own alerts.
71+ # For cross-repo scanning (fleet-coordinator scan-supervised),
72+ # a PAT with `security_events` scope is required instead.
5873 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
5974 run : |
6075 echo "Scanning repository: ${{ github.repository }}"
6176
62- # Run scanner
63- HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia-findings.json
77+ # Run scanner (exits non-zero when findings exist — suppress to continue)
78+ HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia-findings.json || true
6479
6580 # Count findings
6681 FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
@@ -201,6 +216,11 @@ jobs:
201216
202217name : Comment on PR with findings
203218 if : github.event_name == 'pull_request' && steps.scan.outputs.findings_count > 0
219+ # Advisory only — posting findings as a PR comment must never gate
220+ # the scan (hypatia#213 gate decoupling). Belt-and-braces alongside
221+ # the pull-requests: write permission above: a token/API hiccup or
222+ # a fork PR (read-only token) skips the comment, not the check.
223+ continue-on-error : true
204224 uses : actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7
205225 with :
206226 script : |
@@ -231,9 +251,4 @@ jobs:
231251 repo: context.repo.repo,
232252 issue_number: context.issue.number,
233253 body: comment
234- });
235-
236- name : K9-SVC Validation
237- run : |
238- echo "K9-SVC validation"
239- [ -d .machine_readable/contractiles ] && echo "Contractiles present" || echo "No contractiles"
254+ });
0 commit comments