Relegated from the thread. The Hypatia advisory scan reports ~63 findings (1 Critical, 11 High, 51 Medium) on the workflow files — almost all workflow_audit missing_timeout_minutes. They are advisory / baselined / non-gating (scan runs --exit-zero; the baseline check passes), and were not introduced by recent PRs.
Tasks:
Likely estate-wide (workflows come from rsr-template) — fix once, propagate.
https://claude.ai/code/session_011z2t8zAxfcCNLJzU7YdpBQ
Relegated from the thread. The Hypatia advisory scan reports ~63 findings (1 Critical, 11 High, 51 Medium) on the workflow files — almost all
workflow_auditmissing_timeout_minutes. They are advisory / baselined / non-gating (scan runs--exit-zero; the baseline check passes), and were not introduced by recent PRs.Tasks:
hypatia) — the 1 Critical is in thehypatia-findings.jsonartifact, not in the PR comment (which embeds only the first 10 = mediums). Identify and address or dismiss it.timeout-minutesto workflow jobs (boj-build.yml,casket-pages.yml,codeql.yml,dependabot-automerge.yml,dogfood-gate.yml, …). Note: editing any workflow re-triggers the workflow-security-linter across all of them.gitbot-fleetlearning submission:hypatia-scan.ymlclones gitbot-fleet andgit pushreturns 403 (noFLEET_PUSH_TOKENwithcontents:write). Either provision the token or accept best-effort/silence it.Likely estate-wide (workflows come from rsr-template) — fix once, propagate.
https://claude.ai/code/session_011z2t8zAxfcCNLJzU7YdpBQ