Skip to content

Commit e2ef79e

Browse files
fix(ci): pass GITHUB_TOKEN to Hypatia scanner in reusable workflow (#429)
## Problem Across the estate, the **Hypatia Security Scan** CI prints three non-fatal warnings on every run: ``` Warning: Dependabot alerts unavailable: GITHUB_TOKEN not set Warning: Secret-scanning alerts unavailable: GITHUB_TOKEN not set Warning: Code-scanning alerts unavailable: GITHUB_TOKEN not set ``` **Root cause (case c):** the reusable `hypatia-scan-reusable.yml` never set `GITHUB_TOKEN` in the `Run Hypatia scan` step. The scanner reads a single env var `GITHUB_TOKEN` (`lib/rules/{dependabot,code_scanning,secret_scanning}_alerts.ex`); empty → those three checks are skipped with warnings. It was neither a misnamed secret nor the built-in token — the env line was simply absent. ## Fix Set the scan step's env: ```yaml GITHUB_TOKEN: ${{ secrets.HYPATIA_SCAN_PAT || secrets.GITHUB_TOKEN }} ``` - Prefer a fine-grained, **read-only** PAT inherited as an org Actions secret (`HYPATIA_SCAN_PAT`) — the built-in Actions token **cannot** read Dependabot alerts (no `dependabot` permission exists for `GITHUB_TOKEN`). - Fall back to the built-in token so code-scanning alerts still resolve in repos where the PAT isn't present yet. ## What this does / doesn't do - ✅ Silences the three warnings fleet-wide via `secrets: inherit`, once the org secret `HYPATIA_SCAN_PAT` exists. - ❌ Does **not** change the severity gate — medium+ findings still fail CI. (The exit-1 is the findings, not the token.) ## Required manual step (cannot be automated) Create an **organization** Actions secret `HYPATIA_SCAN_PAT` — fine-grained PAT, owner `hyperpolymath`, read-only: **Dependabot alerts: Read**, **Code scanning alerts: Read**, **Secret scanning alerts: Read**, **Metadata: Read**. Scope to the repos that run the scan. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01V13sGvHnaeCY5A9fF2QsDm)_ Co-authored-by: Claude <noreply@anthropic.com>
1 parent 0597948 commit e2ef79e

0 file changed

File tree

    0 commit comments

    Comments
     (0)