Skip to content

ci: allowlist-gap resilience — canonical allowed-actions + detect/apply tooling (HYP-S008)#482

Merged
hyperpolymath merged 2 commits into
mainfrom
ci/actions-allowlist-resilience
Jul 11, 2026
Merged

ci: allowlist-gap resilience — canonical allowed-actions + detect/apply tooling (HYP-S008)#482
hyperpolymath merged 2 commits into
mainfrom
ci/actions-allowlist-resilience

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Diagnosis (the "estate-wide CI startup_failure transient")

Not transient, and not random. RSR repos run allowed_actions: selected + sha_pinning_required: true. Under that, a workflow that uses: an action/reusable not on the allowlist dies at startup — zero jobs, no log (the opaque "workflow file issue"). You can't squabble a run that never started.

Root cause + scope:

  • metadatastician/gossamer: patterns_allowed = [] (empty). Migrating a repo between orgs (gossamer → metadatastician, 2026-07-10) resets the allowlist, so 16 of 25 uses: were blocked at once → mass startup_failure (Governance, Secret Scanner, SPARK, Hypatia, Mirror, Android, push-email).
  • hyperpolymath/standards: rich 76-pattern allowlist, but missing dawidd6/action-send-mail → that's why Push email startup_failed in both orgs.

So it's both estates, worst on freshly-migrated metadatastician repos.

What this PR adds — teaching the three tools

Tool File Role
Squabbler (CI gate) scripts/check-allowed-actions.sh Turns the opaque startup_failure into a legible, satisfiable gate — lists exactly which uses: aren't covered. No API/admin. Exit 1 on gap.
Hypatia hypatia-rules/workflow-allowlist-gap.a2ml (HYP-S008) Scans .github/workflows/ and emits compliance.finding.new per uncovered uses: — caught at scan, before a dark run.
Robot-repo-automaton scripts/set-allowed-actions.sh The root prevention: applies the canonical allowlist (admin PAT). The onboarding/migration sweep MUST run it so patterns_allowed is never empty. Rhodibot (only contents/pull-requests: write) can only detect+report; the admin PAT sets.

Canonical SoT: rhodium-standard-repositories/actions-allowlist/allowed-actions.json — 80 patterns = the estate set + the 4 that were missing (dawidd6/action-send-mail, android-actions/setup-android, reactivecircus/android-emulator-runner, slsa-framework/slsa-github-generator). Plus the RSR requirement in the README (repos MUST have a selected allowlist that supersets their workflows' uses:).

Verified

  • check-allowed-actions.sh exits 0 on the canonical list; lists all 16 gaps on an empty one (reproducing gossamer's exact failure).
  • Dogfood: standards' own 26 uses:0 gaps.

The live fix (needs an admin token — over to you)

I did not flip the live Actions policy (correctly blocked — it's an admin security mutation). To clear the current breakage:

# gossamer (empty allowlist — the acute one):
gh api -X PUT repos/metadatastician/gossamer/actions/permissions -F enabled=true -f allowed_actions=selected
gh api -X PUT repos/metadatastician/gossamer/actions/permissions/selected-actions \
  --input rhodium-standard-repositories/actions-allowlist/allowed-actions.json
# standards (adds dawidd6/action-send-mail etc.):
bash scripts/set-allowed-actions.sh hyperpolymath/standards

Then the onboarding automaton should call set-allowed-actions.sh on every create/migrate.

🤖 Generated with Claude Code

hyperpolymath and others added 2 commits July 11, 2026 11:04
…ly tooling

Fixes the un-squabble-able `startup_failure` class: under `allowed_actions:
selected`, a workflow that `uses:` an un-allowlisted action/reusable dies at
startup with zero jobs and no log. Migrating a repo between orgs resets
`patterns_allowed` to [] and blocks EVERY estate action at once (observed
2026-07-11: gossamer -> metadatastician, 16/25 `uses:` blocked, mass CI outage).

Teaches the three CI/CD tools to deal with it:
- SQUABBLER: scripts/check-allowed-actions.sh — turns the opaque startup_failure
  into a legible, satisfiable gate (lists uncovered `uses:`; exit 1 on gap; no
  API/admin). Runnable in a preflight job, the governance gate, or rhodibot.
- HYPATIA: hypatia-rules/workflow-allowlist-gap.a2ml (HYP-S008) — scans the
  workflow tree and emits compliance.finding.new for each uncovered `uses:`.
- ROBOT-REPO-AUTOMATON: scripts/set-allowed-actions.sh — applies the canonical
  allowlist (admin PAT); the onboarding/migration sweep MUST run it so
  `patterns_allowed` is never empty. Rhodibot detects+reports; the admin PAT sets.

Canonical source of truth: rhodium-standard-repositories/actions-allowlist/
allowed-actions.json (80 patterns = the estate set + the 4 that were missing:
dawidd6/action-send-mail, android-actions/setup-android,
reactivecircus/android-emulator-runner, slsa-framework/slsa-github-generator).
README documents the RSR requirement (repos MUST have a selected allowlist that
supersets their workflows' `uses:`). Verified: check exits 0 on the canonical
list, lists all 16 gaps on an empty one.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 9a36c90 into main Jul 11, 2026
17 of 18 checks passed
@hyperpolymath hyperpolymath deleted the ci/actions-allowlist-resilience branch July 11, 2026 10:22
@sonarqubecloud

Copy link
Copy Markdown

hyperpolymath added a commit that referenced this pull request Jul 11, 2026
…gate)

Registry went stale after the #482 allowlist additions merged. Regenerated from
ground truth via scripts/build-registry.sh (32 specs) — no hand edits.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
hyperpolymath added a commit that referenced this pull request Jul 11, 2026
Follow-up to #482. Two additions the live gossamer/metadatastician fix surfaced:

- scripts/set-allowed-actions.sh: escalate the apply repo -> org (owner) ->
  enterprise. A repo-level PUT that 409s "already set at the organization or
  enterprise level" now falls back to the governing level — the metadatastician
  case (allowlist enforced at the ORG level, so the repo PUT 409s).
- rhodium-standard-repositories/.github/workflows/allowlist-preflight.yml: a
  template workflow (seeded into every RSR repo) that runs check-allowed-actions
  using only actions/checkout, so it can never itself startup-fail. Turns an
  opaque estate-wide startup_failure blackout into one legible red check.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
hyperpolymath added a commit that referenced this pull request Jul 11, 2026
…gate)

Registry went stale after the #482 allowlist additions merged. Regenerated from
ground truth via scripts/build-registry.sh (32 specs) — no hand edits.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant