Skip to content

Commit f5f78ef

Browse files
Merge branch 'main' into claude/estate-audit-optimization-h19z12
2 parents a073125 + f81bb04 commit f5f78ef

1 file changed

Lines changed: 11 additions & 1 deletion

File tree

.github/workflows/governance-reusable.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,17 @@ jobs:
128128
BLOCKING_THRESHOLD: info
129129
run: |
130130
echo "Scanning repository: ${{ github.repository }} (checking baseline)"
131-
HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.raw.json
131+
# hypatia's `scan` exits non-zero whenever it finds anything — that is
132+
# by design, and under `bash -e` it would abort this step at this line,
133+
# before the baseline filter (the real gate) ever runs. Tolerate the
134+
# scan's own exit code…
135+
HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.raw.json || true
136+
# …but never swallow a genuine scanner crash into a false pass: require a
137+
# valid JSON array before trusting the output as "the findings".
138+
if ! jq -e 'type == "array"' hypatia-findings.raw.json >/dev/null 2>&1; then
139+
echo "::error::hypatia scan did not produce a valid JSON findings array (scanner error, not a baseline result)"
140+
exit 1
141+
fi
132142
133143
# Relativize finding paths before matching. Hypatia's honest_completion
134144
# and code_safety modules emit ABSOLUTE host paths in `.file`

0 commit comments

Comments
 (0)