feat(governance): add rust-ci-reusable + elixir-ci-reusable workflows#174
Open
hyperpolymath wants to merge 2 commits into
Open
feat(governance): add rust-ci-reusable + elixir-ci-reusable workflows#174hyperpolymath wants to merge 2 commits into
hyperpolymath wants to merge 2 commits into
Conversation
Extends the #168 pattern (deno-ci-reusable, language-policy in governance-reusable) to two more high-drift workflow templates. Estate audit 2026-05-26 (via gh api search/code): rust-ci.yml: 137 repos, 30 unique SHAs (high drift) elixir-ci.yml: 9 repos, 9 unique SHAs (100% drift; one corrupt YAML with literal 'npermissions:' lines from a botched permissions-injection sweep) rust-ci-reusable.yml * Split jobs (check / test) + opt-in audit + opt-in coverage. * if: hashFiles('Cargo.toml') guard on every job. * Top-level + per-job permissions: contents: read. * Inputs: enable_audit, enable_coverage, clippy_args, test_args, check_args, runs-on. elixir-ci-reusable.yml * Two-cache layers (deps + _build) keyed by elixir-version + mix.lock hash. * mix deps.compile step BEFORE mix compile --warnings-as-errors so upstream-dep warnings don't fail the strict gate. Validated against tma-mark2 #41 in commit fa32c4f. * Default elixir-version 1.17 (1.15 default in legacy template produced the (Mix) declared in mix.exs supports only Elixir ~> 1.17 error tma-mark2 hit). * Inputs: otp-version, elixir-version, enable_dialyzer, enable_credo, runs-on. Downstream rollout (separate PRs, can be fanned out per-repo): each repo carrying rust-ci.yml or elixir-ci.yml replaces it with a 5-line wrapper, same shape as governance.yml + the deno-ci wrappers landed by absolute-zero #41 and tma-mark2 #41. Refs #168 (the deno-ci precedent).
🔍 Hypatia Security ScanFindings: 122 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "deno-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/elixir-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "elixir-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/elixir-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "elixir-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "rust-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "rust-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced May 26, 2026
Merged
Open
Open
Merged
Merged
This was referenced May 26, 2026
Open
Merged
hyperpolymath
added a commit
to hyperpolymath/bqniser
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/hesiod-dns-map
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/natsci-studio
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/panic-attack
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/phronesiser
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/proof-of-work
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/rpa-elysium
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/ephapax
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/januskey
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/heterogenous-mobile-computing
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/snifs
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/conative-gating
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **audit-cov** ("opts into cargo-audit + coverage") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/dafniser
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/oblibeniser
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/affinescriptiser
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 26, 2026
Merged
…186) ## Summary Stacked on #174. Adds a `working_directory` string input (default `.`) to both reusable workflows so wrappers can target a sub-crate or sub-app layout without re-implementing the workflow. ## What changes **rust-ci-reusable.yml:** - New `working_directory` input (default `.`) - Each job declares `defaults.run.working-directory: ${{ inputs.working_directory }}` - `hashFiles('Cargo.toml')` guards now use `hashFiles(format('{0}/Cargo.toml', inputs.working_directory))` - Swatinem/rust-cache `workspaces:` parameter passes the working directory so caches are keyed per sub-crate **elixir-ci-reusable.yml:** - New `working_directory` input (default `.`) - Job declares `defaults.run.working-directory` - `mix.exs` and `mix.lock` lookups + cache `path:` entries all consult the input via `format()` ## Why Audit of the 6 remaining elixir-ci.yml consumers + the 5 complex rust-ci.yml consumers (as of 2026-05-26): **elixir (3 of 6 need this):** - burble → `server/` - feedback-o-tron → (working-directory) - verisimdb → (working-directory) **rust (1 of 5 needs this; the rest use matrix dimensions):** - reasonably-good-token-vault → per-crate (`vault-broker`, `rgtv-cli`) ## Explicitly out of scope Multi-OS / multi-Rust-version / multi-crate matrices and `cross build` support are deferred. The 4 matrix-using rust-ci repos each use a **different** matrix dimension (`os` / `rust` / `workspaces` / `manifests`) — no single shared abstraction fits cleanly. They stay bespoke for now; re-evaluate after the current wrapper sweep completes. | Repo | Matrix dimension | |---|---| | julia-the-viper | `os` (linux/macos/windows) | | verisimiser | `rust` (1.85, stable) | | reasonably-good-token-vault | `crate` (multi-workspace — covered by `working_directory` per-job) | | verisimdb | `manifest` (fuzz/Cargo.toml + rust-core/fuzz/Cargo.toml) + coverage + audit | ## Test plan - [x] YAML parse OK locally (python3 yaml.safe_load both files) - [ ] CI on this PR — but circular-validation caveat applies (per #174 PR description) — `pull_request` runs target-branch workflow, not the PR's - [ ] Owner merge order: #174 → this PR (this is stacked on `feat/rust-ci-reusable`; GitHub will retarget to `main` automatically once #174 merges) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/eclexiaiser
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/reposystem
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/wokelang
that referenced
this pull request
May 26, 2026
## Summary Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow filed in [standards#174](hyperpolymath/standards#174). Pinned to that PR's HEAD SHA (`4fdf4314b4ab54269adbaff10e30e483b5e86845`); will resolve to standards/main once #174 merges. ## Why Estate audit found ~87 `rust-ci.yml` copies across the estate with significant drift. Converting each to a 5-line wrapper means future Rust CI changes propagate in one place. This PR is part of the foundational sweep following the established [standards#168](hyperpolymath/standards#168) precedent (governance-reusable + absolute-zero#41 + tma-mark2#41 wrappers). Variant: **trivial** ("baseline check + clippy + fmt + test") ## Test plan - [ ] CI: `rust-ci` job invokes the reusable and reports the same checks - [ ] Awaiting standards#174 merge before this becomes useful long-term (still works today via SHA pin) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
…or.yml drift (#187) ## Summary Extends the reusable-workflow pattern from #168 (governance-reusable + deno-ci-reusable) and #174 (rust-ci-reusable + elixir-ci-reusable) to the **mirror.yml** template. Estate audit picked this as the highest-leverage next foundational reusable across 5 candidates (codeql, secret-scanner, hypatia-scan, mirror, scorecard). ### Drift survey `gh api /search/code` paginated against `org:hyperpolymath`, then blob-SHA grouped: | Template | Deployments | Sampled | Unique SHAs | Top-SHA share | |---|---|---|---|---| | **mirror.yml** | **289** | **100** | **76 (76%)** | **16% — long tail** | | codeql.yml | 263 | 100 | 70 (70%) | 32% | | secret-scanner.yml | 281 | 100 | 55 (55%) | 47% | | scorecard.yml | 258 | 258 (full) | 46 (18%) | 39% | | hypatia-scan.yml | 255 | 200 | 31 (15.5%) | 50% | (scorecard + hypatia-scan are already mostly converged → low leverage now.) mirror.yml ranks first on **drift × deployments** (76% × 289 ≈ 220) and was verified to have **low feature variance**: all 4 top-SHA variants sampled (covering 29/100 sampled repos: bgp-backbone-lab, ipfs-overlay, kaldor-iiot, vcs-ircd) carried the **same 7 forge jobs** (gitlab, bitbucket, codeberg, sourcehut, disroot, gitea, radicle). Drift is action-SHA / whitespace churn — not feature variance — exactly the shape that consolidates cleanly behind one workflow_call reusable. ### Design - **No per-call inputs other than runs-on** — per-repo forge selection already externalised to Actions vars vars.<FORGE>_MIRROR_ENABLED == 'true', so the reusable mirrors the gating pattern verbatim. - **secrets: inherit required at the call site** — the per-forge SSH keys (GITLAB_SSH_KEY, BITBUCKET_SSH_KEY, CODEBERG_SSH_KEY, SOURCEHUT_SSH_KEY, DISROOT_SSH_KEY, GITEA_SSH_KEY) and RADICLE_KEY flow through implicitly. Without secrets: inherit the inner secrets.X references evaluate to empty (silent push failure on each enabled forge). - **vars.GITEA_HOST** consumed verbatim from the caller repo's Actions vars — same as the canonical mirror.yml. - All actions SHA-pinned; SPDX header present; top-level permissions: contents: read; passes the workflow-lint job in governance-reusable.yml. No filtering logic, so no regression-test file (cf. scripts/tests/apply-baseline-test.sh for the governance/baseline path that needs one). ### Caller wrapper shape (post-merge) \`\`\`yaml # SPDX-License-Identifier: PMPL-1.0-or-later name: Mirror to Git Forges on: push: branches: [main] workflow_dispatch: permissions: contents: read jobs: mirror: uses: hyperpolymath/standards/.github/workflows/mirror-reusable.yml@<sha> secrets: inherit \`\`\` ~10 lines per repo, replacing ~145 lines. ### Rollout plan (downstream wrapper sweep) **NOT started in this PR — owner-gated, same as #174's rust-ci sweep (which capped at 82 PRs).** Numbers (from the 100-repo SHA-sample, extrapolated to 289): - **289 repos** total deployments to convert - **~85% trivially convertible** (forge set matches canonical 7-forge list; SHA-pinned actions only differ in pin SHA / whitespace). One mechanical wrapper PR per repo, same shape as the #168 wrappers (absolute-zero#41, tma-mark2#41). - **~10-15% need careful review** — long-tail SHAs may include legitimate custom forges or local additions. Surface a per-repo diff during sweep; defer non-canonical variants to a follow-up. - Sweep order: pin wrappers to **this PR's HEAD SHA** while owner-gated; rebase to merged-main SHA in the wave's final batch (same protocol as the rust-ci sweep). ### Pattern hardening (no per-PR action required) - Same workflow_call shape as #168 / #174 — no new infrastructure. - Independent of #174 (rust-ci-reusable.yml) and #180 (apply-baseline.sh glob fix) — no conflicts; can land in any order. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
…ecrets to 281 repos (#190) ## Summary Extends the reusable-workflow pattern from #168 / #174 / #187 to **secret-scanner.yml**. Same shape as #187 (no per-call inputs except `runs-on`; caller uses `secrets: inherit`). ### Why secret-scanner is the next foundational reusable Estate drift survey (`gh api /search/code` paginated against `org:hyperpolymath`, blob-SHA grouped over **all 281 deployments**): | Metric | Value | |---|---| | Total deployments | **281** | | Unique blob SHAs | **54** | | Structural drift | **19%** (top 4 SHAs cover 69%, top 6 cover 79%) | | Feature variance | **near-zero** — all sampled variants carry the same 3 jobs (trufflehog + gitleaks + rust-secrets) at 75-81 lines | | True drift source | action-SHA pin churn + whitespace | The 100-sample drift estimate (55%) initially ranked secret-scanner third behind mirror; the full pagination reveals the actual figure is 19%. The variance was a sampling artefact. ### Security debt this PR force-fixes The `shell-secrets` job was added to the canonical 2026-05-21 (commit `080c394`) in direct response to the **live Cloudflare API token leak** via `avow-protocol/deploy-repos.sh` (commit `5f2f8b2`) — a leak that both `trufflehog --only-verified` and default `gitleaks` missed. Of 16 estate `secret-scanner.yml` blobs sampled across the top + long-tail SHAs, **0 carry the `shell-secrets` job**. The post-incident guardrail intended to catch the *next* such leak has propagated to nothing. Consolidating the workflow behind this reusable means the wrapper sweep that follows this PR force-promotes `shell-secrets` to all 281 repos in one batch. ### Design - **No per-call inputs other than `runs-on`** — each job self-conditions internally: - `rust-secrets` exits early on no `Cargo.toml` (safe on every repo) - `shell-secrets` no-ops without `.sh`/`.bash` files - `trufflehog` + `gitleaks` always-on (intended) - **`secrets: inherit` required at the call site** — so the inner `secrets.GITHUB_TOKEN` reference in the `gitleaks-action` step resolves. Without `inherit` it falls back to anonymous mode (rate-limited; misses some PRs). - **Caller keeps `on:` + `concurrency:`** — so the read-only cancel-superseded guardrail stays in the wrapper. - SPDX header, top-level `permissions: contents: read`, all actions SHA-pinned — passes the `workflow-lint` job in `governance-reusable.yml`. ### Caller wrapper shape (post-merge) ```yaml # SPDX-License-Identifier: PMPL-1.0-or-later name: Secret Scanner on: pull_request: push: branches: [main] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read jobs: scan: uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@<sha> secrets: inherit ``` ~12 lines per repo, replacing ~75-116 lines. ### Rollout plan **NOT started in this PR — owner-gated, same as #187 / #174 sweeps.** | Wave | Repos | Action | |---|---|---| | 1: bulk-mechanical | ~275 | Canonical 3-job match. Fan-out single-commit wrapper PR per repo, pinned to this PR HEAD; rebase to merged-main SHA before batch firing. | | 2: slim variants | ~6 | Repos with 2-job (missing `rust-secrets`) or 1-job (`trufflehog` only) older copies. Standardize-up safely since the missing job self-skips on non-applicable repos. | Total expected sweep: ~281 PRs (well above the 82-PR rust-ci precedent — recommend batching by wave; user gates each wave start). ### Pattern hardening - Same `workflow_call` shape as #168 / #174 / #187 — no new infrastructure. - Independent of #174 (`rust-ci-reusable.yml`), #180 (`apply-baseline.sh` glob fix), and #187 (`mirror-reusable.yml`) — no file conflicts; lands in any order. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why — extends #168 to the next two template-drift bug classes
`#168` (merged) consolidated language-policy into governance-reusable and added deno-ci-reusable. That pattern — single source-of-truth reusable in standards consumed via a thin wrapper — kills the "every copy drifts independently" failure mode.
Estate audit done with `gh api search/code` (2026-05-26):
`elixir-ci.yml` is especially bad — every copy is unique, and at least one (`bofig`) is YAML-broken with literal `npermissions:` lines from a botched estate sweep.
What changes
Two new reusable workflows in `.github/workflows/`:
`rust-ci-reusable.yml`
`elixir-ci-reusable.yml`
Downstream rollout
After merge, each of the 137 (Rust) / 9 (Elixir) repos can replace its local copy with a 5-line wrapper:
```yaml
.github/workflows/rust-ci.yml
name: Rust CI
on:
push: { branches: [main, master] }
pull_request:
permissions:
contents: read
jobs:
rust-ci:
uses: hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main
```
Same shape as `governance.yml` → `governance-reusable.yml`, and the absolute-zero #41 + tma-mark2 #41 `deno-ci.yml` wrappers landed yesterday. Rollout can be fanned out per-repo.
Test plan