Skip to content

ci(scorecard): add job-level permissions for reusable workflow#47

Merged
hyperpolymath merged 1 commit into
mainfrom
chore/scorecard-job-perms-282
May 31, 2026
Merged

ci(scorecard): add job-level permissions for reusable workflow#47
hyperpolymath merged 1 commit into
mainfrom
chore/scorecard-job-perms-282

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented May 31, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add permissions: { security-events: write, id-token: write } to jobs.analysis so the called scorecard reusable can upload SARIF.
  • Without job-level overrides the caller's permissions: read-all caps the reusable and ossf/scorecard-action silently startup_failures.

Refs hyperpolymath/standards#282

Test plan

  • Local diff is 3 lines exactly
  • CI green
  • Auto-merge squash + delete-branch on green

🤖 Generated with Claude Code

@hyperpolymath @claude
ci(scorecard): add job-level permissions for reusable workflow
d3c1be4 
Reusable-workflow permission inheritance caps called-workflow
permissions by the caller's block. Without job-level overrides,
ossf/scorecard-action cannot upload SARIF — runs silently
startup_failure.

Refs hyperpolymath/standards#282

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 31, 2026 10:16
@hyperpolymath hyperpolymath merged commit d723240 into main May 31, 2026
5 of 15 checks passed
@hyperpolymath hyperpolymath deleted the chore/scorecard-job-perms-282 branch May 31, 2026 10:16
@hyperpolymath hyperpolymath mentioned this pull request Jun 4, 2026
Merged
hyperpolymath added a commit that referenced this pull request Jun 4, 2026
@hyperpolymath @claude
ci: fix Scorecard startup_failure (missing contents:read) + presence-…
76ca68e 
…gate instant-sync (#53)

## Summary

Follow-up to #52. After the reusable re-pins landed, I verified `main`'s
post-merge CI and found **Hypatia is now green** (re-pin worked) but
**Scorecards still `startup_failure`** — proving its cause was *not* the
stale SHA. Root-caused and fixed here, plus the one genuinely-actionable
Hypatia HIGH.

## Scorecard `startup_failure` — real root cause

The `scorecard-reusable.yml` declares top-level `permissions: contents:
read`. But this repo's wrapper sets **job-level** `permissions: {
security-events: write, id-token: write }` (added in #47), and a
job-level permissions block sets every unlisted permission to `none` —
so `contents` became `none`. A reusable workflow that requests a
permission its caller didn't grant **fails at startup** (0 jobs), which
is exactly the symptom — and it persisted across the re-pin (unlike
Hypatia, whose wrapper grants `contents: read` at workflow level).

**Fix:** add `contents: read` to the `analysis` job's permissions
(verified against the reusable's declared `permissions:` at `861b5e9`).

## instant-sync — presence gate

Per Hypatia's `secret_action_without_presence_gate` (HIGH), the
`repository-dispatch` step is now gated on token presence (job `env` +
`if: ${{ env.FARM_DISPATCH_TOKEN != '' }}`), so absent-token contexts
skip cleanly.

⚠️ This does **not** make Instant Sync green by itself: the configured
`FARM_DISPATCH_TOKEN` returns `Bad credentials` and **must be rotated by
the maintainer** — no in-repo change can mint a valid credential.

## Still needs a maintainer decision (surfaced, not touched —
ambiguous/destructive)

- **6 submodule gitlinks with no `.gitmodules`** (`fs`, `obli-fs`,
`transpiler`, `ssg`, `riscv-dev-kit`, `obli-riscv-dev-kit`) — all empty,
pointing at commits with no URL. Either restore a `.gitmodules` (if real
submodules) or `git rm --cached` them (if accidental). Needs your
intent.
- **Stale remote branches** (`GS007`): e.g. `cicd/codeql-cron-monthly`,
`claude/codeql-actions-scan`, `claude/proof-debt-ledger`. Branch
deletion is destructive — your call.
- **`CSA001` structural-drift** alerts on
`.machine_readable/{PLAYBOOK,NEUROSYM,AGENTIC}.scm` (stale prior-run
code-scanning alerts) — schema work, needs context.
- The other Hypatia findings are advisory; the 5 remaining
`missing_timeout_minutes` flags are **false positives** (reusable-caller
jobs cannot carry `timeout-minutes`).

🤖 Draft — opened for review.

https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ

---
_Generated by [Claude
Code](https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ)_

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath