Skip to content

Triage Hypatia workflow findings + wire gitbot-fleet learning token (estate) #43

Description

@hyperpolymath

Relegated from the thread. The Hypatia advisory scan reports ~63 findings (1 Critical, 11 High, 51 Medium) on the workflow files — almost all workflow_audit missing_timeout_minutes. They are advisory / baselined / non-gating (scan runs --exit-zero; the baseline check passes), and were not introduced by recent PRs.

Tasks:

  • Triage the findings on Security → Code scanning (category hypatia) — the 1 Critical is in the hypatia-findings.json artifact, not in the PR comment (which embeds only the first 10 = mediums). Identify and address or dismiss it.
  • Add timeout-minutes to workflow jobs (boj-build.yml, casket-pages.yml, codeql.yml, dependabot-automerge.yml, dogfood-gate.yml, …). Note: editing any workflow re-triggers the workflow-security-linter across all of them.
  • Wire the gitbot-fleet learning submission: hypatia-scan.yml clones gitbot-fleet and git push returns 403 (no FLEET_PUSH_TOKEN with contents:write). Either provision the token or accept best-effort/silence it.

Likely estate-wide (workflows come from rsr-template) — fix once, propagate.

https://claude.ai/code/session_011z2t8zAxfcCNLJzU7YdpBQ

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions