fix(ci): make the LSP/DAP/BSP gate real + policy-compliant#205
Merged
Conversation
The "ABI Specification Check (Idris2)" job never ran Idris2 — it only grepped, and the grep matched each abi/README.adoc's own "Zero believe_me..." prose, so the gate red-flagged every run (it broke #196's CI). The Zig install curled ziglang.org/builds/...0.15.2 (the nightly dir, not releases) and died. The panel check used python3 against the repo's no-Python policy. - abi-check: scope the banned-axiom grep to *.idr (no more README false positive); the full idris2 --check of every ABI is proofs.yml's job. - ffi-build: replace the dead curl with goto-bus-stop/setup-zig at .tool-versions' 0.15.1, matching e2e.yml. - panel-validation: python3 json.tool/json.load -> jq (no-Python policy). - add timeout-minutes to all 4 jobs + a concurrency group. Resolves several #199 items. Real proof verification lives in proofs.yml. https://claude.ai/code/session_019tMcRS1Dm1nWjjYP4WvbJa
🔍 Hypatia Security ScanFindings: 274 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Action if: always()\n uses: actions/upload-artifact@ea165f8 needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in abi-drift.yml",
"type": "missing_timeout_minutes",
"file": "abi-drift.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in container-publish.yml",
"type": "missing_timeout_minutes",
"file": "container-publish.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes the LSP/DAP/BSP CI gate actually verify instead of grep-and-hope, and brings it into policy. These are the two pre-existing red checks that surfaced on #196, plus flagged #199 items — all in one file.
Fixes
abi-check— the "ABI Specification Check (Idris2)" job never ran Idris2; it grepedbelieve_me|assert_total|sorryrecursively and matched eachabi/README.adoc's own "Zero believe_me…" prose → false-positive on every run. Now scoped to--include='*.idr'(a fast leaf-axiom guard). The realidris2 --checkof every ABI isproofs.yml's job.ffi-build— replaced the deadcurl ziglang.org/builds/…0.15.2(nightly dir, not releases →tardied) withgoto-bus-stop/setup-zig@.tool-versions' 0.15.1, matchinge2e.yml.panel-validation—python3 json.tool/json.load→jq(the repo's no-Python policy).timeout-minutesto all 4 jobs + aconcurrencygroup.Verified locally
lsp-mcp/abi/README.adoc; finds zero axioms in the.idr(correct — leaf proofs are axiom-free, just confirmed across all 108 boj-server cartridge ABIs by a realidris2 --checksweep).jqforms validate the panel manifests (3 panels each).Resolves the two
lsp-dap-bsp.ymlreds + several workflow-audit items in #199.https://claude.ai/code/session_019tMcRS1Dm1nWjjYP4WvbJa
Generated by Claude Code