feat(governance): add rust-ci-reusable + elixir-ci-reusable workflows#174
Merged
Conversation
🔍 Hypatia Security ScanFindings: 122 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "deno-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/elixir-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "elixir-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/elixir-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "elixir-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "rust-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "rust-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced May 26, 2026
Merged
Merged
Merged
Merged
Merged
Closed
hyperpolymath
added a commit
to hyperpolymath/bunsenite
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/conflow
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/echidna
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/neurophone
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/the-nash-equilibrium
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/zerostep
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/rsr-template-repo
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 26, 2026
Merged
ci(rust): convert rust-ci.yml to thin wrapper (standards#174 refile)
hyperpolymath/nextgen-typing#15
Merged
ci(rust): convert rust-ci.yml to thin wrapper (standards#174 refile)
hyperpolymath/proof-burrower#21
Merged
hyperpolymath
added a commit
to hyperpolymath/absolute-zero
that referenced
this pull request
May 26, 2026
…53) Refile of the prior wrapper PR which drifted from main. Pins to hyperpolymath/standards#174 HEAD SHA `4fdf4314b4ab54269adbaff10e30e483b5e86845`. Part of estate-wide rust-ci convergence campaign 2026-05-26 (standards#174).
hyperpolymath
added a commit
to hyperpolymath/ideas-to-alphas
that referenced
this pull request
May 26, 2026
…#16) Pins to hyperpolymath/standards#174 HEAD SHA 4fdf4314b4ab54269adbaff10e30e483b5e86845. Refile of the original wrapper PR which had drifted from main and become un-rebaseable. Part of estate-wide rust-ci convergence campaign 2026-05-26 (standards#174).
hyperpolymath
added a commit
to hyperpolymath/proof-burrower
that referenced
this pull request
May 26, 2026
…#21) Pins to hyperpolymath/standards#174 HEAD SHA 4fdf4314b4ab54269adbaff10e30e483b5e86845. Refile of the original wrapper PR which had drifted from main and become un-rebaseable. Part of estate-wide rust-ci convergence campaign 2026-05-26 (standards#174).
hyperpolymath
added a commit
to hyperpolymath/nextgen-typing
that referenced
this pull request
May 26, 2026
…#15) Pins to hyperpolymath/standards#174 HEAD SHA 4fdf4314b4ab54269adbaff10e30e483b5e86845. Refile of the original wrapper PR which had drifted from main and become un-rebaseable. Part of estate-wide rust-ci convergence campaign 2026-05-26 (standards#174).
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
…ql.yml drift (#192) ## Summary Third foundational reusable in the workflow-convergence sweep (#168 → #174 → #187 → #190 → this). Targets `codeql.yml`, the 263-deployment CodeQL security-analysis workflow. ### Drift survey Full pagination of `gh api /search/code` against `org:hyperpolymath`, blob-SHA grouped: | Metric | Value | |---|---| | Total deployments | **263** | | Unique blob SHAs | **69** (26% drift — same as mirror.yml) | | Top 7 SHAs coverage | **195/263 (74%)** | | Long-tail SHAs | 62 SHAs / 68 repos | ### Language matrix distribution (key for design) | Languages | Repos | Share | |---|---|---| | `javascript-typescript` only | **223** | **84.8%** | | `actions` only | 22 | 8.4% | | NONE (no matrix declared) | 6 | 2.3% | | `rust` only | 3 | 1.1% | | `javascript-typescript,rust` | 3 | 1.1% | | `actions,javascript-typescript` | 3 | 1.1% | | `actions,javascript-typescript,rust` | 2 | 0.8% | | `actions,rust` | 1 | 0.4% | **100% of estate variants use `build-mode: none`** — verified across rust-only, actions-only, and mixed sampled variants. ### Design choice — single-language single-job reusable Caller invokes the reusable **once per language**. Multi-language wrappers (~3.4%) call it multiple times in parallel; per-language SARIF separation is preserved via the `category: "/language:${{ inputs.language }}"` step. This matches how callers already think about CodeQL (one job per language) without forcing a JSON-array input or matrix-as-string-input. The alternative (matrix-as-input) would have made the 85% single-language case more awkward. ### Inputs - `language` (string, default `javascript-typescript`) — single CodeQL language identifier - `build-mode` (string, default `none`) — 100% of estate currently uses `none`; default covers everything - `runs-on` (string, default `ubuntu-latest`) ### Caller wrapper examples **Single-language (~85% of estate):** ```yaml jobs: codeql: uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha> ``` ~5 lines, replacing ~49. **Rust-only or actions-only (~10% of estate):** ```yaml jobs: codeql: uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha> with: language: rust ``` **Multi-language (~3.4% of estate):** ```yaml jobs: codeql-js: uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha> codeql-actions: uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha> with: language: actions codeql-rust: uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha> with: language: rust ``` ### Rollout plan **NOT started in this PR — owner-gated.** | Wave | Repos | Action | |---|---|---| | 1: bulk-mechanical | ~210 | Single-language `javascript-typescript` default. One-line wrapper. | | 2: single non-default | ~25 | Override `language: rust` or `language: actions`. | | 3: multi-language | ~9 | Two or three reusable invocations per wrapper. | | 4: NEEDS_REVIEW | ~18 | `NONE` matrix (6) + 100-line custom workflows (~2-3). Per-repo review. | Total expected sweep: ~245 PRs (93% mechanical). ### Pattern hardening - Same `workflow_call` shape as #168 / #174 / #187 / #190 — no new infrastructure. - Independent of all open standards PRs — lands in any order. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
…e of the reusable trilogy (#193) ## Summary Fourth and largest-leverage reusable in the workflow-convergence campaign (#168 → #174 → #187 → #190 → #192 → this). Targets `hypatia-scan.yml`, the **416-line** estate-wide Hypatia neurosymbolic security scanner. ### Drift survey Full pagination of `gh api /search/code` against `org:hyperpolymath`: | Metric | Value | |---|---| | Total deployments | **255** | | Unique blob SHAs | **30** | | Structural drift | **11.8% — lowest of all 5 surveyed templates** | | Top 5 SHAs coverage | **213/255 (83.5%)** | | Top-SHA share | 100 repos (39.2%) | ### Feature variance: zero Sampled top 7 + long-tail 10 variants — **every single one carries exactly one `scan` job**. Line counts range 207-416, but this is pure propagation lag: older repos run an earlier slimmer version of the same monolithic job; newer repos run the 413-416-line current canonical. No customisation, no per-repo extras, no missing jobs in the long tail. ### Leverage — biggest of the convergence campaign | PR | Per-repo lines | Wrappers | LOC retired | |---|---|---|---| | #187 mirror | 145 → 12 | ~267 | ~35,500 | | #190 secret-scanner | ~80 → 12 | ~275 | ~19,000 | | #192 codeql | 49 → 5 | ~245 | ~10,800 | | **#193 hypatia-scan** | **416 → 16** | **~235** | **~94,000** | This single PR's downstream sweep retires more workflow LOC than #187 + #190 + #192 combined. ### Design **Zero inputs except `runs-on`.** The scan job body is byte-identical to the canonical `hypatia-scan.yml` — no per-repo values to parameterise; every interpolation is `${{ github.* }}` or `${{ secrets.* }}` which resolve in the caller context. **Caller MUST:** - Use `secrets: inherit` — so `GITHUB_TOKEN` + `HYPATIA_DISPATCH_PAT` flow through. Without inherit, the Phase-2 gitbot-fleet submission step silently no-ops (it's `continue-on-error`-guarded), and the DependabotAlerts rule loses read access (HTTP 403). - Grant `contents: read` + `security-events: write` + `pull-requests: write` at the call-site permissions block. **Called-workflow permissions are CAPPED by caller** — without `security-events: write` at the call site, SARIF upload to Security → Code scanning silently fails. ### Caller wrapper shape (post-merge) ```yaml # SPDX-License-Identifier: PMPL-1.0-or-later name: Hypatia Security Scan on: push: branches: [ main, master, develop ] pull_request: branches: [ main, master ] schedule: - cron: '0 0 * * 0' workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read security-events: write pull-requests: write jobs: scan: uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@<sha> secrets: inherit ``` ~16 lines per repo, replacing ~250-416 lines (depending on which propagation snapshot the repo currently carries). ### Rollout plan **NOT started in this PR — owner-gated, same as #187 / #190 / #192.** | Wave | Repos | Action | |---|---|---| | 1: current-canonical | ~211 | Top 6 SHAs at 413-416 lines. Pure mechanical wrapper. | | 2: standardize-up older | ~24 | 207-253-line older versions; convert to same wrapper — body of the scan job auto-upgrades on next workflow run. | | 3: per-repo review | ~2 | `hypatia` repo itself (345-line — likely a development snapshot), `standards` (the canonical source). Exclude from sweep. | Total expected sweep: **~235 mechanical wrappers** (92.2%) + 2 excluded + minor per-repo review. ### Pattern hardening - Same `workflow_call` shape as #168 / #174 / #187 / #190 / #192 — no new infrastructure. - Independent of all open standards PRs — lands in any order. ### Note on parallel-session count discrepancy A separate session's audit memory ([[project_foundational_workflow_survey_2026_05_26]]) recorded "hypatia-scan: 702 copies × 416 lines × HIGH homogeneity". My methodology (`gh api /search/code` paginated with `filename:hypatia-scan.yml path:.github/workflows org:hyperpolymath`) returns **255**. The HIGH homogeneity finding agrees in both surveys; the 702 figure is likely scheduled-run count or includes historical branches. Either way the leverage doesn't change much — this is the biggest single LOC removal in the campaign. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
…186) ## Summary Stacked on #174. Adds a `working_directory` string input (default `.`) to both reusable workflows so wrappers can target a sub-crate or sub-app layout without re-implementing the workflow. ## What changes **rust-ci-reusable.yml:** - New `working_directory` input (default `.`) - Each job declares `defaults.run.working-directory: ${{ inputs.working_directory }}` - `hashFiles('Cargo.toml')` guards now use `hashFiles(format('{0}/Cargo.toml', inputs.working_directory))` - Swatinem/rust-cache `workspaces:` parameter passes the working directory so caches are keyed per sub-crate **elixir-ci-reusable.yml:** - New `working_directory` input (default `.`) - Job declares `defaults.run.working-directory` - `mix.exs` and `mix.lock` lookups + cache `path:` entries all consult the input via `format()` ## Why Audit of the 6 remaining elixir-ci.yml consumers + the 5 complex rust-ci.yml consumers (as of 2026-05-26): **elixir (3 of 6 need this):** - burble → `server/` - feedback-o-tron → (working-directory) - verisimdb → (working-directory) **rust (1 of 5 needs this; the rest use matrix dimensions):** - reasonably-good-token-vault → per-crate (`vault-broker`, `rgtv-cli`) ## Explicitly out of scope Multi-OS / multi-Rust-version / multi-crate matrices and `cross build` support are deferred. The 4 matrix-using rust-ci repos each use a **different** matrix dimension (`os` / `rust` / `workspaces` / `manifests`) — no single shared abstraction fits cleanly. They stay bespoke for now; re-evaluate after the current wrapper sweep completes. | Repo | Matrix dimension | |---|---| | julia-the-viper | `os` (linux/macos/windows) | | verisimiser | `rust` (1.85, stable) | | reasonably-good-token-vault | `crate` (multi-workspace — covered by `working_directory` per-job) | | verisimdb | `manifest` (fuzz/Cargo.toml + rust-core/fuzz/Cargo.toml) + coverage + audit | ## Test plan - [x] YAML parse OK locally (python3 yaml.safe_load both files) - [ ] CI on this PR — but circular-validation caveat applies (per #174 PR description) — `pull_request` runs target-branch workflow, not the PR's - [ ] Owner merge order: #174 → this PR (this is stacked on `feat/rust-ci-reusable`; GitHub will retarget to `main` automatically once #174 merges) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8c43e1b to
6584b39
Compare
🔍 Hypatia Security ScanFindings: 161 issues detected
View findings[
{
"reason": "Issue in affinescript-verify.yml",
"type": "unknown",
"file": "affinescript-verify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "unknown",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in changelog-reusable.yml",
"type": "unknown",
"file": "changelog-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql-reusable.yml",
"type": "unknown",
"file": "codeql-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "unknown",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in deno-ci-reusable.yml",
"type": "unknown",
"file": "deno-ci-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in doc-format.yml",
"type": "unknown",
"file": "doc-format.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in echidna-verify.yml",
"type": "unknown",
"file": "echidna-verify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced May 29, 2026
hyperpolymath
added a commit
to hyperpolymath/ideas-to-alphas
that referenced
this pull request
May 29, 2026
…#21) Pins to hyperpolymath/standards#174 HEAD SHA 4fdf4314b4ab54269adbaff10e30e483b5e86845. Refile of the original wrapper PR which had drifted from main and become un-rebaseable. Part of estate-wide rust-ci convergence campaign 2026-05-26 (standards#174).
16 tasks
hyperpolymath
added a commit
to hyperpolymath/proof-burrower
that referenced
this pull request
May 29, 2026
…#27) Pins to hyperpolymath/standards#174 HEAD SHA 4fdf4314b4ab54269adbaff10e30e483b5e86845. Refile of the original wrapper PR which had drifted from main and become un-rebaseable. Part of estate-wide rust-ci convergence campaign 2026-05-26 (standards#174).
16 tasks
hyperpolymath
added a commit
to hyperpolymath/nextgen-typing
that referenced
this pull request
May 29, 2026
…#23) Pins to hyperpolymath/standards#174 HEAD SHA 4fdf4314b4ab54269adbaff10e30e483b5e86845. Refile of the original wrapper PR which had drifted from main and become un-rebaseable. Part of estate-wide rust-ci convergence campaign 2026-05-26 (standards#174).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why — extends #168 to the next two template-drift bug classes
`#168` (merged) consolidated language-policy into governance-reusable and added deno-ci-reusable. That pattern — single source-of-truth reusable in standards consumed via a thin wrapper — kills the "every copy drifts independently" failure mode.
Estate audit done with `gh api search/code` (2026-05-26):
`elixir-ci.yml` is especially bad — every copy is unique, and at least one (`bofig`) is YAML-broken with literal `npermissions:` lines from a botched estate sweep.
What changes
Two new reusable workflows in `.github/workflows/`:
`rust-ci-reusable.yml`
`elixir-ci-reusable.yml`
Downstream rollout
After merge, each of the 137 (Rust) / 9 (Elixir) repos can replace its local copy with a 5-line wrapper:
```yaml
.github/workflows/rust-ci.yml
name: Rust CI
on:
push: { branches: [main, master] }
pull_request:
permissions:
contents: read
jobs:
rust-ci:
uses: hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main
```
Same shape as `governance.yml` → `governance-reusable.yml`, and the absolute-zero #41 + tma-mark2 #41 `deno-ci.yml` wrappers landed yesterday. Rollout can be fanned out per-repo.
Test plan