Skip to content

fix(shim): harden PseudoScript shim discovery + pin canonical#30

Merged
hyperpolymath merged 2 commits into
mainfrom
ci/harden-face-shim
Jul 9, 2026
Merged

fix(shim): harden PseudoScript shim discovery + pin canonical#30
hyperpolymath merged 2 commits into
mainfrom
ci/harden-face-shim

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Hardens the bin/pseudo shim (discovery: $AFFINESCRIPT → PATH → sibling checkout, actionable not-found message) and adds .affinescript-pin (canonical commit lock).

Part of Milestone A of the face-sealing plan. Binding contract: docs/specs/FACE-CONTRACT.adoc in hyperpolymath/affinescript (PR #685). Draft — lands after the contract PR is reviewed.

hyperpolymath and others added 2 commits July 7, 2026 19:23
- grant secret-scanner reusable its requested job permissions
- drop invalid timeout-minutes on reusable-call jobs
- drop hashFiles() from job-level if: expressions
Replace the bare-`affinescript` call with discovery order ($AFFINESCRIPT →
PATH → sibling checkout) and an actionable not-found message. Add
.affinescript-pin recording the canonical commit this brand surface is validated
against. Binding is normative in FACE-CONTRACT.adoc (hyperpolymath/affinescript).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 16 issues detected

Severity Count
🔴 Critical 0
🟠 High 9
🟡 Medium 7
View findings
[
  {
    "reason": "Issue in push-email-notify.yml",
    "type": "missing_timeout_minutes",
    "file": "push-email-notify.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Repository has 14 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): BranchProtectionID -- Branch-Protection -- 13 day(s) old [STALE]",
    "type": "CSA001",
    "file": "no file associated with this alert",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/workflow_audit/missing_timeout_minutes -- Hypatia workflow_audit: missing_timeout_minutes -- 13 day(s) old",
    "type": "CSA001",
    "file": "push-email-notify.yml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): FuzzingID -- Fuzzing -- 20 day(s) old",
    "type": "CSA001",
    "file": "no file associated with this alert",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): SASTID -- SAST -- 20 day(s) old",
    "type": "CSA001",
    "file": "no file associated with this alert",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): MaintainedID -- Maintained -- 20 day(s) old [STALE]",
    "type": "CSA001",
    "file": "no file associated with this alert",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Scorecard): CodeReviewID -- Code-Review -- 20 day(s) old [STALE]",
    "type": "CSA001",
    "file": "no file associated with this alert",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 20 day(s) old [STALE]",
    "type": "CSA001",
    "file": ".github/workflows/hypatia-scan.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/git_state/GS007 -- Hypatia git_state: GS007 -- 48 day(s) old [STALE]",
    "type": "CSA001",
    "file": ".",
    "action": "update",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath marked this pull request as ready for review July 9, 2026 08:36
@hyperpolymath hyperpolymath merged commit 8ec6eb6 into main Jul 9, 2026
18 of 19 checks passed
@hyperpolymath hyperpolymath deleted the ci/harden-face-shim branch July 9, 2026 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant