Commit e2ef79e
fix(ci): pass GITHUB_TOKEN to Hypatia scanner in reusable workflow (#429)
## Problem
Across the estate, the **Hypatia Security Scan** CI prints three
non-fatal warnings on every run:
```
Warning: Dependabot alerts unavailable: GITHUB_TOKEN not set
Warning: Secret-scanning alerts unavailable: GITHUB_TOKEN not set
Warning: Code-scanning alerts unavailable: GITHUB_TOKEN not set
```
**Root cause (case c):** the reusable `hypatia-scan-reusable.yml` never
set `GITHUB_TOKEN` in the `Run Hypatia scan` step. The scanner reads a
single env var `GITHUB_TOKEN`
(`lib/rules/{dependabot,code_scanning,secret_scanning}_alerts.ex`);
empty → those three checks are skipped with warnings. It was neither a
misnamed secret nor the built-in token — the env line was simply absent.
## Fix
Set the scan step's env:
```yaml
GITHUB_TOKEN: ${{ secrets.HYPATIA_SCAN_PAT || secrets.GITHUB_TOKEN }}
```
- Prefer a fine-grained, **read-only** PAT inherited as an org Actions
secret (`HYPATIA_SCAN_PAT`) — the built-in Actions token **cannot** read
Dependabot alerts (no `dependabot` permission exists for
`GITHUB_TOKEN`).
- Fall back to the built-in token so code-scanning alerts still resolve
in repos where the PAT isn't present yet.
## What this does / doesn't do
- ✅ Silences the three warnings fleet-wide via `secrets: inherit`, once
the org secret `HYPATIA_SCAN_PAT` exists.
- ❌ Does **not** change the severity gate — medium+ findings still fail
CI. (The exit-1 is the findings, not the token.)
## Required manual step (cannot be automated)
Create an **organization** Actions secret `HYPATIA_SCAN_PAT` —
fine-grained PAT, owner `hyperpolymath`, read-only: **Dependabot alerts:
Read**, **Code scanning alerts: Read**, **Secret scanning alerts:
Read**, **Metadata: Read**. Scope to the repos that run the scan.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---
_Generated by [Claude
Code](https://claude.ai/code/session_01V13sGvHnaeCY5A9fF2QsDm)_
Co-authored-by: Claude <noreply@anthropic.com>1 parent 0597948 commit e2ef79e
0 file changed
0 commit comments