Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion .github/workflows/governance-reusable.yml
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,14 @@ jobs:
BLOCKING_THRESHOLD: info
run: |
echo "Scanning repository: ${{ github.repository }} (checking baseline)"
# Move the baseline filter OUT of the scanned tree, then delete the
# standards checkout, so `hypatia scan .` only ever sees the CALLER's
# own files. Without this, `.standards-checkout/` (the tooling we
# checked out to get apply-baseline.sh) is itself scanned, and
# standards' own files get reported as the caller's findings (a banned
# `.ts`, `shell_download` bootstrap.sh scripts, etc.).
cp .standards-checkout/scripts/apply-baseline.sh "$RUNNER_TEMP/apply-baseline.sh"
rm -rf .standards-checkout
# hypatia's `scan` exits non-zero whenever it finds anything — that is
# by design, and under `bash -e` it would abort this step at this line,
# before the baseline filter (the real gate) ever runs. Tolerate the
Expand Down Expand Up @@ -160,7 +168,7 @@ jobs:
# suppresses only exact matches. Exits non-zero iff a kept finding is at
# or above BLOCKING_THRESHOLD. (Validated against synthetic fixtures;
# see the PR description.)
bash .standards-checkout/scripts/apply-baseline.sh \
bash "$RUNNER_TEMP/apply-baseline.sh" \
hypatia-findings.json .hypatia-baseline.json blocking
language-policy:
name: Language / package anti-pattern policy
Expand Down
Loading