fix(ci): hypatia-scan.yml -- --exit-zero + GITHUB_TOKEN (hyperpolymath/hypatia#213)#11
Open
hyperpolymath wants to merge 1 commit into
Open
fix(ci): hypatia-scan.yml -- --exit-zero + GITHUB_TOKEN (hyperpolymath/hypatia#213)#11hyperpolymath wants to merge 1 commit into
hyperpolymath wants to merge 1 commit into
Conversation
…rpolymath/hypatia#213) The Hypatia Security Scan workflow exits 1 on any findings (>= medium) because lib/hypatia/cli.ex halts with System.halt(1). Under `set -e`, that short-circuits the step before jq/artifact-upload/PR-comment run. Mirrors hyperpolymath/hypatia#228: * pass GITHUB_TOKEN so the Dependabot rule stops warning * append --exit-zero so the downstream critical/high gate stays the explicit gate * bump actions/upload-artifact to v4.6.2 (ea165f8d) to match the estate-wide pin See hyperpolymath/hypatia#213 for the diagnosis. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirrors hyperpolymath/hypatia#228 in this consumer repo.
What was actually broken in
Hypatia Security ScanThe scanner halts with
System.halt(1)whenever findings exist at or above the severity threshold (lib/hypatia/cli.ex:158-160pre-#228). Under GitHub Actions' defaultset -e, that exit-1 short-circuits the workflow step beforejqaggregation,actions/upload-artifact, the PR comment, AND the explicit "Check for critical or high-severity issues" step.The previous
actions/upload-artifactSHA-bump sweep across the estate (41 PRs) was based on a wrong diagnosis -- the failing runs were not at action-resolve time. See hyperpolymath/hypatia#213 for the full root-cause writeup.Changes in this PR
GITHUB_TOKENto the scan step env so the Dependabot rule can query alerts (and stops emittingWarning: Dependabot alerts unavailable: GITHUB_TOKEN not set).--exit-zeroto thehypatia-cli.sh scan .invocation so findings-at-severity no longer short-circuits the step. The downstream "Check for critical or high-severity issues" step (already in this workflow) remains the explicit gate.actions/upload-artifactto v4.6.2 (ea165f8d65b6e75b540449e92b4886f43607fa02) to match the estate-wide pin.Notes
--exit-zerowas added in fix(cli): add --exit-zero flag + always-emit stderr summary (closes #213) hypatia#228 and is silently ignored by pre-#228 versions of the scanner (OptionParser strict mode places unknown flags ininvalidand the CLI discards that), so this PR is safe to merge in either order relative to #228.exit 1on findings is unchanged for shell / pre-commit users.🤖 Generated with Claude Code