feat(governance): add scorecard-reusable.yml — close 5-candidate convergence set by hyperpolymath · Pull Request #205 · hyperpolymath/standards

hyperpolymath · 2026-05-26T12:52:38Z

Summary

5th and final reusable in the workflow convergence campaign (see #199 for the meta-doc). Consolidates the per-repo scorecard.yml workflow.

Drift signal (full pagination + per-repo verified)

258 top-level estate deployments
626 nested copies in monorepos (asdf-tool-plugins, developer-ecosystem, ssg-collection, standards, ambientops, julia-ecosystem, etc. — Layer-2 truncation discovery via tooling(scripts): nested-path support — Git Tree helper + classifier consumers #204's helper)
46 unique blob SHAs / 17.8% structural drift
Top SHA covers 100/258 (38.8%) — highest dominant-cluster of the 5 campaigns
Top 7 SHAs cover ~80%
100% mechanical drift, ZERO feature variance — SPDX header (PMPL-1.0 / PMPL-1.0-or-later / MPL-2.0), upload-sarif SHA-pin churn, permissions: read-all vs contents: read wording

Design

One input: runs-on (default ubuntu-latest)
No secrets: inherit — Scorecard uses GITHUB_TOKEN directly
Caller MUST grant security-events: write + id-token: write on the calling job (called-workflow permissions are capped by caller)
Caller keeps own on: triggers + concurrency: group

Per Layer-3 caveat from the campaign meta-doc

Nested workflows are inert — GitHub Actions only runs .github/workflows/ at the repo root. Sweeping the 626 nested copies is single-source-of-truth cleanup, not security hardening.

Campaign convergence set (closes with this PR)

PR	Template
#187	mirror-reusable.yml
#190	secret-scanner-reusable.yml
#192	codeql-reusable.yml
#193	hypatia-scan-reusable.yml
#194	sweep-classifier scripts
#199	campaign meta-doc
#204	list-workflow-paths.sh (bypass /search/code undercount)
this	scorecard-reusable.yml

Test plan

Wrapper sweep (~258 top-level + ~626 nested) — owner-gated; not part of this PR
Update classify-* scripts to consume helper TSV — follow-up

🤖 Generated with Claude Code

…ergence set Consolidates 258 top-level estate deployments + 626 nested copies of scorecard.yml into one reusable workflow. Drift signal: - 258 top-level / 46 unique blob SHAs / 17.8% structural drift - Top SHA covers 100/258 (38.8%); top 7 cover ~80% - 100% of drift is MECHANICAL — SPDX header lag, action SHA-pin drift, permissions wording — ZERO feature variance across all 46 blob SHAs Design: - One input: `runs-on` (default ubuntu-latest) - No `secrets: inherit` needed — uses GITHUB_TOKEN directly - Caller MUST grant `security-events: write` + `id-token: write` on the calling job (capped by caller per GitHub Actions semantics) This closes the workflow convergence campaign 5-candidate set (#187 mirror, #190 secret-scanner, #192 codeql, #193 hypatia-scan, #194 classifier tooling, #199 campaign meta-doc, #204 list-workflow-paths helper, this PR).

Walked the Git Tree API for all 5 templates via list-workflow-paths.sh from #204. Findings: - Top-level path-filtered queries were 1-35% undercounted across all 5 templates (worst: hypatia-scan 255 -> 344, +89 / 35%). - Nested-copy counts were 100%+ undercounted for mirror.yml (133 reported -> 335 true). - hypatia-scan top-level has only 3 unique blob SHAs across 344 sites -> 0.9% drift on the executing surface (vs the 11.8% drift the PR body reports for top-level+nested). Replaced the 'Corrected estate counts' section with three tables: helper-validated totals, top-level-only drift, and initial-survey undercount summary. Added LOC retirement table: ~275k LOC top-level across the 5 reusables, ~732k including nested copies. Updated Layer 2 documentation to note path-filtered queries are ALSO truncated (previously the doc only said broad queries were). Updated Standing follow-ups: marked the per-(repo,path) classifier ingestion DONE (shipped in #204); removed the 'file scorecard' item (filed as #205); added quarterly re-run suggestion.

github-actions · 2026-05-26T17:30:49Z

🔍 Hypatia Security Scan

Findings: 118 issues detected

Severity	Count
🔴 Critical	64
🟠 High	43
🟡 Medium	11

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "deno-ci-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
    "type": "agda_postulate",
    "file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
    "type": "js_wildcard_cors",
    "file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Pins to hyperpolymath/standards#205 merge SHA `e0caf11508a3989574713c78f5f444f2ce5e33ef`. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set. Estate audit: 258 deploys / 18% drift / 39% top-SHA share. Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Pins to hyperpolymath/standards#205 merge SHA e0caf11508a3989574713c78f5f444f2ce5e33ef. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set (mirror, secret-scanner, codeql, hypatia-scan, scorecard). Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Pins to hyperpolymath/standards#205 merge SHA `e0caf11508a3989574713c78f5f444f2ce5e33ef`. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set. Estate audit: 258 deploys / 18% drift / 39% top-SHA share. Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Pins to hyperpolymath/standards#205 merge SHA e0caf11508a3989574713c78f5f444f2ce5e33ef. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set (mirror, secret-scanner, codeql, hypatia-scan, scorecard). Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Pins to hyperpolymath/standards#205 merge SHA `e0caf11508a3989574713c78f5f444f2ce5e33ef`. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set. Estate audit: 258 deploys / 18% drift / 39% top-SHA share. Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Pins to hyperpolymath/standards#205 merge SHA e0caf11508a3989574713c78f5f444f2ce5e33ef. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set (mirror, secret-scanner, codeql, hypatia-scan, scorecard). Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Pins to hyperpolymath/standards#205 merge SHA `e0caf11508a3989574713c78f5f444f2ce5e33ef`. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set. Estate audit: 258 deploys / 18% drift / 39% top-SHA share. Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

Pins to hyperpolymath/standards#205 merge SHA e0caf11508a3989574713c78f5f444f2ce5e33ef. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set (mirror, secret-scanner, codeql, hypatia-scan, scorecard). Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

hyperpolymath enabled auto-merge (squash) May 26, 2026 12:52

hyperpolymath mentioned this pull request May 26, 2026

docs(audits): reusables-convergence campaign closeout 2026-05-26 #215

Merged

2 tasks

hyperpolymath merged commit e0caf11 into main May 26, 2026
18 checks passed

hyperpolymath deleted the feat/scorecard-reusable branch May 26, 2026 17:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(governance): add scorecard-reusable.yml — close 5-candidate convergence set#205

feat(governance): add scorecard-reusable.yml — close 5-candidate convergence set#205
hyperpolymath merged 1 commit into
mainfrom
feat/scorecard-reusable

hyperpolymath commented May 26, 2026

Uh oh!

github-actions Bot commented May 26, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

hyperpolymath commented May 26, 2026

Summary

Drift signal (full pagination + per-repo verified)

Design

Per Layer-3 caveat from the campaign meta-doc

Campaign convergence set (closes with this PR)

Test plan

Uh oh!

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant