Skip to content

ci: fix two always-red security gates (CodeQL, Hypatia) #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 1 commit into from
May 15, 2026
+63 −23
Merged

ci: fix two always-red security gates (CodeQL, Hypatia) #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,32 @@ jobs:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

# This repo is a declarative grammar extension with no JS/TS sources.
# CodeQL errors out ("no code found") when there is nothing to scan,
# so detect presence first and skip cleanly when absent. The step
# stays here so analysis activates automatically if JS/TS is added.
- name: Detect JavaScript/TypeScript sources
id: detect
run: |
if find . -path ./.git -prune -o -type f \
\( -name '*.ts' -o -name '*.tsx' -o -name '*.js' \
-o -name '*.jsx' -o -name '*.mjs' -o -name '*.cjs' \) \
-print | grep -q .; then
echo "present=true" >> "$GITHUB_OUTPUT"
else
echo "present=false" >> "$GITHUB_OUTPUT"
echo "::notice::No JavaScript/TypeScript sources found — skipping CodeQL analysis."
fi

- name: Initialize CodeQL
if: steps.detect.outputs.present == 'true'
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}

- name: Perform CodeQL Analysis
if: steps.detect.outputs.present == 'true'
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
category: "/language:${{ matrix.language }}"
67 changes: 44 additions & 23 deletions .github/workflows/hypatia-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,45 +29,55 @@ jobs:
fetch-depth: 0 # Full history for better pattern analysis

- name: Setup Elixir for Hypatia scanner
id: beam
continue-on-error: true
uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.18.2
with:
elixir-version: '1.19.4'
otp-version: '28.3'

- name: Clone Hypatia
# Upstream hyperpolymath/hypatia was refactored to shell entrypoints;
# it no longer has a scanner/ subdir. Build the escript at the repo
# root only if no prebuilt binary exists, and never hard-fail on a
# missing/unbuildable scanner — mirrors the resilient pattern in
# static-analysis-gate.yml so a tooling outage cannot block merges.
- name: Clone and build Hypatia
id: build
continue-on-error: true
run: |
if [ ! -d "$HOME/hypatia" ]; then
git clone https://github.com/hyperpolymath/hypatia.git "$HOME/hypatia"
fi

- name: Build Hypatia scanner (if needed)
working-directory: ${{ env.HOME }}/hypatia
run: |
if [ ! -f hypatia-v2 ]; then
echo "Building hypatia-v2 scanner..."
cd scanner
mix deps.get
mix escript.build
mv hypatia ../hypatia-v2
git clone https://github.com/hyperpolymath/hypatia.git "$HOME/hypatia" 2>/dev/null || true
if [ -f "$HOME/hypatia/mix.exs" ]; then
cd "$HOME/hypatia"
if [ ! -f hypatia ] && [ ! -f hypatia-v2 ]; then
mix deps.get
mix escript.build
fi
echo "ready=true" >> "$GITHUB_OUTPUT"
else
echo "::notice::Hypatia scanner not available — skipping scan"
echo "ready=false" >> "$GITHUB_OUTPUT"
fi

- name: Run Hypatia scan
id: scan
if: steps.build.outputs.ready == 'true'
run: |
echo "Scanning repository: ${{ github.repository }}"
set +e
HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.json 2>&1
set -e

# Run scanner
HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.json
# Sanitize: ensure valid JSON array even if the scanner errored.
if [ ! -s hypatia-findings.json ] || ! jq empty hypatia-findings.json 2>/dev/null; then
echo "[]" > hypatia-findings.json
fi

# Count findings
FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
echo "findings_count=$FINDING_COUNT" >> $GITHUB_OUTPUT

# Extract severity counts
CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json)
HIGH=$(jq '[.[] | select(.severity == "high")] | length' hypatia-findings.json)
MEDIUM=$(jq '[.[] | select(.severity == "medium")] | length' hypatia-findings.json)
CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json 2>/dev/null || echo 0)
HIGH=$(jq '[.[] | select(.severity == "high")] | length' hypatia-findings.json 2>/dev/null || echo 0)
MEDIUM=$(jq '[.[] | select(.severity == "medium")] | length' hypatia-findings.json 2>/dev/null || echo 0)

echo "findings_count=$FINDING_COUNT" >> $GITHUB_OUTPUT
echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
echo "high=$HIGH" >> $GITHUB_OUTPUT
echo "medium=$MEDIUM" >> $GITHUB_OUTPUT
Expand All @@ -78,6 +88,16 @@ jobs:
echo "- High: $HIGH" >> $GITHUB_STEP_SUMMARY
echo "- Medium: $MEDIUM" >> $GITHUB_STEP_SUMMARY

- name: Create stub findings (when Hypatia unavailable)
if: steps.build.outputs.ready != 'true'
run: |
echo "[]" > hypatia-findings.json
{
echo "## Hypatia Scan"
echo ""
echo "Skipped: Hypatia scanner not available in this environment."
} >> "$GITHUB_STEP_SUMMARY"

- name: Upload findings artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
Expand All @@ -87,6 +107,7 @@ jobs:

- name: Submit findings to gitbot-fleet (Phase 2)
if: steps.scan.outputs.findings_count > 0
continue-on-error: true # external service; never block on its outage
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
Expand Down
Loading