feat(governance): add mirror-reusable.yml — consolidate 289-repo mirror.yml drift#187
Merged
Conversation
…or.yml drift Extends the #168/#174 reusable-workflow pattern. Estate audit (gh code search + sampled blob hashes) found 289 deployments of mirror.yml with 76% SHA drift across a 100-repo sample; top SHA covers only 16% of sampled repos. All four top variants carried the same 7 forge jobs — the drift is action-SHA / whitespace churn, not feature variance — so the workflow consolidates cleanly behind one `workflow_call` reusable. Each forge job remains gated on the existing per-repo Actions variable `vars.<FORGE>_MIRROR_ENABLED == 'true'`, so per-repo selection still works without any per-call inputs. Callers use `secrets: inherit` so the per-forge SSH keys (and RADICLE_KEY) flow through. After merge, a downstream wrapper sweep can collapse each ~145-line per-repo `mirror.yml` to a ~10-line wrapper that calls this reusable — estimated reduction: ~145 LOC × 289 repos ≈ 42k lines, plus erases the SHA-pin drift surface.
🔍 Hypatia Security ScanFindings: 118 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "deno-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced May 26, 2026
Merged
Open
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
…ecrets to 281 repos (#190) ## Summary Extends the reusable-workflow pattern from #168 / #174 / #187 to **secret-scanner.yml**. Same shape as #187 (no per-call inputs except `runs-on`; caller uses `secrets: inherit`). ### Why secret-scanner is the next foundational reusable Estate drift survey (`gh api /search/code` paginated against `org:hyperpolymath`, blob-SHA grouped over **all 281 deployments**): | Metric | Value | |---|---| | Total deployments | **281** | | Unique blob SHAs | **54** | | Structural drift | **19%** (top 4 SHAs cover 69%, top 6 cover 79%) | | Feature variance | **near-zero** — all sampled variants carry the same 3 jobs (trufflehog + gitleaks + rust-secrets) at 75-81 lines | | True drift source | action-SHA pin churn + whitespace | The 100-sample drift estimate (55%) initially ranked secret-scanner third behind mirror; the full pagination reveals the actual figure is 19%. The variance was a sampling artefact. ### Security debt this PR force-fixes The `shell-secrets` job was added to the canonical 2026-05-21 (commit `080c394`) in direct response to the **live Cloudflare API token leak** via `avow-protocol/deploy-repos.sh` (commit `5f2f8b2`) — a leak that both `trufflehog --only-verified` and default `gitleaks` missed. Of 16 estate `secret-scanner.yml` blobs sampled across the top + long-tail SHAs, **0 carry the `shell-secrets` job**. The post-incident guardrail intended to catch the *next* such leak has propagated to nothing. Consolidating the workflow behind this reusable means the wrapper sweep that follows this PR force-promotes `shell-secrets` to all 281 repos in one batch. ### Design - **No per-call inputs other than `runs-on`** — each job self-conditions internally: - `rust-secrets` exits early on no `Cargo.toml` (safe on every repo) - `shell-secrets` no-ops without `.sh`/`.bash` files - `trufflehog` + `gitleaks` always-on (intended) - **`secrets: inherit` required at the call site** — so the inner `secrets.GITHUB_TOKEN` reference in the `gitleaks-action` step resolves. Without `inherit` it falls back to anonymous mode (rate-limited; misses some PRs). - **Caller keeps `on:` + `concurrency:`** — so the read-only cancel-superseded guardrail stays in the wrapper. - SPDX header, top-level `permissions: contents: read`, all actions SHA-pinned — passes the `workflow-lint` job in `governance-reusable.yml`. ### Caller wrapper shape (post-merge) ```yaml # SPDX-License-Identifier: PMPL-1.0-or-later name: Secret Scanner on: pull_request: push: branches: [main] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read jobs: scan: uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@<sha> secrets: inherit ``` ~12 lines per repo, replacing ~75-116 lines. ### Rollout plan **NOT started in this PR — owner-gated, same as #187 / #174 sweeps.** | Wave | Repos | Action | |---|---|---| | 1: bulk-mechanical | ~275 | Canonical 3-job match. Fan-out single-commit wrapper PR per repo, pinned to this PR HEAD; rebase to merged-main SHA before batch firing. | | 2: slim variants | ~6 | Repos with 2-job (missing `rust-secrets`) or 1-job (`trufflehog` only) older copies. Standardize-up safely since the missing job self-skips on non-applicable repos. | Total expected sweep: ~281 PRs (well above the 82-PR rust-ci precedent — recommend batching by wave; user gates each wave start). ### Pattern hardening - Same `workflow_call` shape as #168 / #174 / #187 — no new infrastructure. - Independent of #174 (`rust-ci-reusable.yml`), #180 (`apply-baseline.sh` glob fix), and #187 (`mirror-reusable.yml`) — no file conflicts; lands in any order. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hyperpolymath
added a commit
to hyperpolymath/presswerk
that referenced
this pull request
May 26, 2026
Pins to hyperpolymath/standards#187 merge SHA e6b2884722350515934d443daf23442f2195796f. Replaces the canonical mirror.yml (~145 lines, drift-prone) with a thin ~13-line wrapper. Forge selection still externalised to vars.<FORGE>_MIRROR_ENABLED. Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #187).
2 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
…ergence set (#205) ## Summary 5th and final reusable in the workflow convergence campaign (see #199 for the meta-doc). Consolidates the per-repo `scorecard.yml` workflow. ## Drift signal (full pagination + per-repo verified) - **258** top-level estate deployments - **626** nested copies in monorepos (asdf-tool-plugins, developer-ecosystem, ssg-collection, standards, ambientops, julia-ecosystem, etc. — Layer-2 truncation discovery via #204's helper) - **46** unique blob SHAs / 17.8% structural drift - Top SHA covers **100/258 (38.8%)** — highest dominant-cluster of the 5 campaigns - Top 7 SHAs cover ~80% - **100% mechanical drift, ZERO feature variance** — SPDX header (PMPL-1.0 / PMPL-1.0-or-later / MPL-2.0), `upload-sarif` SHA-pin churn, `permissions: read-all` vs `contents: read` wording ## Design - One input: `runs-on` (default ubuntu-latest) - No `secrets: inherit` — Scorecard uses `GITHUB_TOKEN` directly - Caller MUST grant `security-events: write` + `id-token: write` on the calling job (called-workflow permissions are capped by caller) - Caller keeps own `on:` triggers + `concurrency:` group ## Per Layer-3 caveat from the campaign meta-doc Nested workflows are inert — GitHub Actions only runs `.github/workflows/` at the repo root. Sweeping the 626 nested copies is single-source-of-truth cleanup, not security hardening. ## Campaign convergence set (closes with this PR) | PR | Template | |---|---| | #187 | mirror-reusable.yml | | #190 | secret-scanner-reusable.yml | | #192 | codeql-reusable.yml | | #193 | hypatia-scan-reusable.yml | | #194 | sweep-classifier scripts | | #199 | campaign meta-doc | | #204 | list-workflow-paths.sh (bypass /search/code undercount) | | **this** | **scorecard-reusable.yml** | ## Test plan - [ ] Wrapper sweep (~258 top-level + ~626 nested) — owner-gated; not part of this PR - [ ] Update classify-* scripts to consume helper TSV — follow-up 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the reusable-workflow pattern from #168 (governance-reusable + deno-ci-reusable) and #174 (rust-ci-reusable + elixir-ci-reusable) to the mirror.yml template.
Estate audit picked this as the highest-leverage next foundational reusable across 5 candidates (codeql, secret-scanner, hypatia-scan, mirror, scorecard).
Drift survey
gh api /search/codepaginated againstorg:hyperpolymath, then blob-SHA grouped:(scorecard + hypatia-scan are already mostly converged → low leverage now.)
mirror.yml ranks first on drift × deployments (76% × 289 ≈ 220) and was verified to have low feature variance: all 4 top-SHA variants sampled (covering 29/100 sampled repos: bgp-backbone-lab, ipfs-overlay, kaldor-iiot, vcs-ircd) carried the same 7 forge jobs (gitlab, bitbucket, codeberg, sourcehut, disroot, gitea, radicle). Drift is action-SHA / whitespace churn — not feature variance — exactly the shape that consolidates cleanly behind one workflow_call reusable.
Design
No filtering logic, so no regression-test file (cf. scripts/tests/apply-baseline-test.sh for the governance/baseline path that needs one).
Caller wrapper shape (post-merge)
```yaml
SPDX-License-Identifier: PMPL-1.0-or-later
name: Mirror to Git Forges
on:
push:
branches: [main]
workflow_dispatch:
permissions:
contents: read
jobs:
mirror:
uses: hyperpolymath/standards/.github/workflows/mirror-reusable.yml@
secrets: inherit
```
~10 lines per repo, replacing ~145 lines.
Rollout plan (downstream wrapper sweep)
NOT started in this PR — owner-gated, same as #174's rust-ci sweep (which capped at 82 PRs).
Numbers (from the 100-repo SHA-sample, extrapolated to 289):
Pattern hardening (no per-PR action required)
🤖 Generated with Claude Code