{{ message }}
ci(governance): refresh stale standards pins + drop retired scorecard-enforcer#132
Merged
Conversation
…-enforcer The `governance / Check Workflow Staleness` check (hyperpolymath/standards check-workflow-staleness.sh) fails on every PR — it is a property of the repo's own workflow files, independent of feature work. Five rules fired: - scorecard-enforcer.yml is retired, and is the sole workflow carrying both `ossf/scorecard-action@` and `codeql-action/upload-sarif@` (which the checker forbids unless Scorecard runs for every PR head commit) -> removed, clearing both the retired-file and the SARIF/Code-Scanning rules. - governance.yml pinned governance-reusable.yml@main; hypatia-scan.yml and scorecard.yml pinned older reusable SHAs -> all three re-pinned to the current standards HEAD d72fe5a14e841ac6d78514b53624b6173038ee20 (SHA-pinned per estate policy; verified the reusables exist at that SHA). Verified locally with the standards checker itself: "All workflow staleness checks passed", exit 0. Scope kept minimal — only the four files the checker flags; the secret-scanner/mirror/rust-ci reusable pins (not checked) are left untouched to avoid changing unrelated CI behaviour. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The
governance / Check Workflow Stalenesscheck fails on every PR (it surfaced on #131, but it's a property of the repo's own workflow files — independent of feature work). It cloneshyperpolymath/standardsand runsscripts/check-workflow-staleness.sh, which fired all five of its rules. This is the dedicated follow-up agreed for the staleness failure, kept separate from the #131 consolidation.What the checker requires (and the fix)
no_retired_scorecard_enforcerscorecard-enforcer.ymlpresentscorecard.yml→ standardsscorecard-reusable.yml)no_scorecard_sarif_code_scanningossf/scorecard-action@andcodeql-action/upload-sarif@estate_pin_freshness(governance)governance.ymlpinned...@maind72fe5ano_stale_hypatia_reusable_pinhypatia-scan.ymlpinned...@97df762d72fe5ano_stale_scorecard_reusable_pinscorecard.ymlpinned...@e0caf11d72fe5ad72fe5a14e841ac6d78514b53624b6173038ee20is the currenthyperpolymath/standardsHEAD (verified the three reusables exist at that SHA). SHA-pinning matches estate policy.Verification
Ran the standards checker itself against this tree:
Scope
Minimal and deliberate — only the four files the checker flags. The
secret-scanner/mirror/rust-cireusable pins are not evaluated by the staleness check and are left untouched to avoid changing unrelated CI behaviour (a broader pin-refresh can be its own change if wanted).🤖 Generated with Claude Code
https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6
Generated by Claude Code