ci: allowlist-gap resilience — canonical allowed-actions + detect/apply tooling (HYP-S008)#482
Merged
Merged
Conversation
…ly tooling Fixes the un-squabble-able `startup_failure` class: under `allowed_actions: selected`, a workflow that `uses:` an un-allowlisted action/reusable dies at startup with zero jobs and no log. Migrating a repo between orgs resets `patterns_allowed` to [] and blocks EVERY estate action at once (observed 2026-07-11: gossamer -> metadatastician, 16/25 `uses:` blocked, mass CI outage). Teaches the three CI/CD tools to deal with it: - SQUABBLER: scripts/check-allowed-actions.sh — turns the opaque startup_failure into a legible, satisfiable gate (lists uncovered `uses:`; exit 1 on gap; no API/admin). Runnable in a preflight job, the governance gate, or rhodibot. - HYPATIA: hypatia-rules/workflow-allowlist-gap.a2ml (HYP-S008) — scans the workflow tree and emits compliance.finding.new for each uncovered `uses:`. - ROBOT-REPO-AUTOMATON: scripts/set-allowed-actions.sh — applies the canonical allowlist (admin PAT); the onboarding/migration sweep MUST run it so `patterns_allowed` is never empty. Rhodibot detects+reports; the admin PAT sets. Canonical source of truth: rhodium-standard-repositories/actions-allowlist/ allowed-actions.json (80 patterns = the estate set + the 4 that were missing: dawidd6/action-send-mail, android-actions/setup-android, reactivecircus/android-emulator-runner, slsa-framework/slsa-github-generator). README documents the RSR requirement (repos MUST have a selected allowlist that supersets their workflows' `uses:`). Verified: check exits 0 on the canonical list, lists all 16 gaps on an empty one. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
hyperpolymath
added a commit
that referenced
this pull request
Jul 11, 2026
…gate) Registry went stale after the #482 allowlist additions merged. Regenerated from ground truth via scripts/build-registry.sh (32 specs) — no hand edits. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jul 11, 2026
Follow-up to #482. Two additions the live gossamer/metadatastician fix surfaced: - scripts/set-allowed-actions.sh: escalate the apply repo -> org (owner) -> enterprise. A repo-level PUT that 409s "already set at the organization or enterprise level" now falls back to the governing level — the metadatastician case (allowlist enforced at the ORG level, so the repo PUT 409s). - rhodium-standard-repositories/.github/workflows/allowlist-preflight.yml: a template workflow (seeded into every RSR repo) that runs check-allowed-actions using only actions/checkout, so it can never itself startup-fail. Turns an opaque estate-wide startup_failure blackout into one legible red check. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jul 11, 2026
…gate) Registry went stale after the #482 allowlist additions merged. Regenerated from ground truth via scripts/build-registry.sh (32 specs) — no hand edits. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Diagnosis (the "estate-wide CI startup_failure transient")
Not transient, and not random. RSR repos run
allowed_actions: selected+sha_pinning_required: true. Under that, a workflow thatuses:an action/reusable not on the allowlist dies at startup — zero jobs, no log (the opaque "workflow file issue"). You can't squabble a run that never started.Root cause + scope:
patterns_allowed = [](empty). Migrating a repo between orgs (gossamer → metadatastician, 2026-07-10) resets the allowlist, so 16 of 25uses:were blocked at once → massstartup_failure(Governance, Secret Scanner, SPARK, Hypatia, Mirror, Android, push-email).dawidd6/action-send-mail→ that's why Push email startup_failed in both orgs.So it's both estates, worst on freshly-migrated metadatastician repos.
What this PR adds — teaching the three tools
scripts/check-allowed-actions.shstartup_failureinto a legible, satisfiable gate — lists exactly whichuses:aren't covered. No API/admin. Exit 1 on gap.hypatia-rules/workflow-allowlist-gap.a2ml(HYP-S008).github/workflows/and emitscompliance.finding.newper uncovereduses:— caught at scan, before a dark run.scripts/set-allowed-actions.shpatterns_allowedis never empty. Rhodibot (onlycontents/pull-requests: write) can only detect+report; the admin PAT sets.Canonical SoT:
rhodium-standard-repositories/actions-allowlist/allowed-actions.json— 80 patterns = the estate set + the 4 that were missing (dawidd6/action-send-mail,android-actions/setup-android,reactivecircus/android-emulator-runner,slsa-framework/slsa-github-generator). Plus the RSR requirement in the README (repos MUST have aselectedallowlist that supersets their workflows'uses:).Verified
check-allowed-actions.shexits 0 on the canonical list; lists all 16 gaps on an empty one (reproducing gossamer's exact failure).uses:— 0 gaps.The live fix (needs an admin token — over to you)
I did not flip the live Actions policy (correctly blocked — it's an admin security mutation). To clear the current breakage:
Then the onboarding automaton should call
set-allowed-actions.shon every create/migrate.🤖 Generated with Claude Code