diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml index a8f2402f..b2047c91 100644 --- a/.github/workflows/governance-reusable.yml +++ b/.github/workflows/governance-reusable.yml @@ -128,7 +128,17 @@ jobs: BLOCKING_THRESHOLD: info run: | echo "Scanning repository: ${{ github.repository }} (checking baseline)" - HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.raw.json + # hypatia's `scan` exits non-zero whenever it finds anything — that is + # by design, and under `bash -e` it would abort this step at this line, + # before the baseline filter (the real gate) ever runs. Tolerate the + # scan's own exit code… + HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.raw.json || true + # …but never swallow a genuine scanner crash into a false pass: require a + # valid JSON array before trusting the output as "the findings". + if ! jq -e 'type == "array"' hypatia-findings.raw.json >/dev/null 2>&1; then + echo "::error::hypatia scan did not produce a valid JSON findings array (scanner error, not a baseline result)" + exit 1 + fi # Relativize finding paths before matching. Hypatia's honest_completion # and code_safety modules emit ABSOLUTE host paths in `.file`