Skip to content

ci: SHA-pin actions/add-to-project (fix roadmap auto-add startup_failure)#580

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/sha-pin-add-to-project
Jun 13, 2026
Merged

ci: SHA-pin actions/add-to-project (fix roadmap auto-add startup_failure)#580
hyperpolymath merged 1 commit into
mainfrom
fix/sha-pin-add-to-project

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 13, 2026

Copy link
Copy Markdown
Owner

What

SHA-pin actions/add-to-project in .github/workflows/add-to-roadmap.yml.

Why

The roadmap-automation workflow (added in the board-automation pilot) referenced
actions/add-to-project@v1.0.2 — a tag. This repo enforces
sha_pinning_required=true on Actions, so the tag ref produced a
startup_failure: the workflow never ran, and new issues/PRs were not being
added to roadmap project #35. Confirmed via a throwaway test issue
(hypatia#477) whose run failed at startup while sibling SHA-pinned workflows
succeeded.

Pinned to the v1.0.2 commit 244f685bbc3b7adfa8466e08b698b5577571133e
(comment retains the human-readable version). This is the only change needed to
make the pilot loop live.

🤖 Generated with Claude Code

@hyperpolymath @claude
ci: SHA-pin actions/add-to-project (repo enforces sha_pinning)
31a97e0 
add-to-roadmap.yml referenced actions/add-to-project@v1.0.2 (a tag).
This repo sets sha_pinning_required=true on Actions, so the tag ref
caused a startup_failure: the workflow never ran and new issues/PRs
were not added to roadmap project #35. Pin to the v1.0.2 commit SHA
(sibling workflows are all SHA-pinned, which is why they succeed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 44 issues detected

Severity Count
🔴 Critical 2
🟠 High 22
🟡 Medium 20

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action denoland/setup-deno@v2 needs attention",
    "type": "unpinned_action",
    "file": "publish-jsr.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in add-to-roadmap.yml",
    "type": "missing_timeout_minutes",
    "file": "add-to-roadmap.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (32 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (29 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 4343e01 into main Jun 13, 2026
29 of 30 checks passed
@hyperpolymath hyperpolymath deleted the fix/sha-pin-add-to-project branch June 13, 2026 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath