Skip to content

fix(ci): split scorecard job to satisfy OpenSSF publish-results job-shape rule#467

Merged
hyperpolymath merged 1 commit into
mainfrom
worktree-fix-scorecard-enforcer-job-shape
Jul 4, 2026
Merged

fix(ci): split scorecard job to satisfy OpenSSF publish-results job-shape rule#467
hyperpolymath merged 1 commit into
mainfrom
worktree-fix-scorecard-enforcer-job-shape

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

  • scorecard-enforcer.yml has failed on every single push to main since at least 2026-07-01 (verified: last 3+ runs all failure), not from any content problem but from a structural workflow bug.
  • The scorecard job's actual analysis succeeds (score 7.2/10) but the publish-results step then fails: workflow verification failed: scorecard job must only have steps with \uses`— OpenSSF's scorecard-action rejects any job for publish that mixes shellrun:` steps in with the scorecard-action step (anti-tampering restriction, see ossf/scorecard-action#workflow-restrictions).
  • The offending step was the in-job Check minimum score shell block.

Fix

Split the single scorecard job into two:

  • scorecard: checkout → scorecard-action → upload-artifact (all uses: steps only, satisfies OpenSSF's restriction)
  • check-score: downloads the artifact, runs the existing min-score shell check unchanged

check-critical job is untouched.

Test plan

  • CI run on this PR shows scorecard job green (publish succeeds) and check-score job runs the same min-score logic as before
  • Confirm no regression to the check-critical job (SECURITY.md / pinned-deps check)

Note

This fixes one of two checks currently red on every push to main. The other, instant-sync.yml, fails with Bad credentials because FARM_DISPATCH_TOKEN is dead — that's a secret-rotation action only the owner can take (already tracked in memory as a pending GitHub-identity-rebuild item: mint HYPATIA_SCAN_PAT/DISPATCH_PAT, drop FARM_DISPATCH_TOKEN). Flagging here rather than attempting a code fix for it.

🤖 Generated with Claude Code

@hyperpolymath hyperpolymath marked this pull request as ready for review July 4, 2026 11:34
@hyperpolymath hyperpolymath enabled auto-merge (squash) July 4, 2026 11:34
…hape rule

The scorecard job has been failing on every push to main since at least
2026-07-01 with "scorecard job must only have steps with `uses`" — the
OpenSSF scorecard-action's publish_results endpoint rejects any job that
mixes non-`uses` steps in with the scorecard-action step. Move the
min-score shell check into a separate downstream job that consumes the
results via artifact upload/download instead of running in-job.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@hyperpolymath hyperpolymath force-pushed the worktree-fix-scorecard-enforcer-job-shape branch from ad109f9 to ff6e58b Compare July 4, 2026 11:42
@sonarqubecloud

sonarqubecloud Bot commented Jul 4, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@hyperpolymath hyperpolymath disabled auto-merge July 4, 2026 11:57
@hyperpolymath hyperpolymath merged commit c4d2410 into main Jul 4, 2026
19 of 20 checks passed
@hyperpolymath hyperpolymath deleted the worktree-fix-scorecard-enforcer-job-shape branch July 4, 2026 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant