fix(ci): drop invalid timeout-minutes from reusable-workflow calls (parse-dead)#291
Merged
Merged
Conversation
…w calls A timeout-minutes: key was set on one or more jobs that call a reusable workflow via uses:. GitHub does not permit that key on a workflow_call job, so it rejected the file at parse time — the workflow failed instantly (0s) on every push and never ran. The standards *-reusable.yml workflows already declare timeout-minutes on their internal jobs, so the caller key was redundant as well as invalid. Files: .github/workflows/mirror.yml Verified with actionlint (real tool): no "timeout-minutes is not available" findings remain. Part of the estate-wide CI cleanup (84 repos; reference hyperpolymath/gitbot-fleet#374). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 6 issues detected
View findings[
{
"reason": "No test directory or test files found",
"type": "no_tests",
"file": "/home/runner/work/echo-types/echo-types",
"action": "flag",
"rule_module": "honest_completion",
"severity": "high",
"deduction": 20
},
{
"reason": "Issue in push-email-notify.yml",
"type": "missing_timeout_minutes",
"file": "push-email-notify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/workflow_audit/missing_timeout_minutes -- Hypatia workflow_audit: missing_timeout_minutes -- 22 day(s) old",
"type": "CSA001",
"file": "push-email-notify.yml",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 45 day(s) old [STALE]",
"type": "CSA001",
"file": ".github/workflows/scorecard.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code-scanning alert TokenPermissionsID (high) at .github/workflows/scorecard.yml is 45 days old (threshold: 7 days) -- overdue for remediation",
"type": "CSA003",
"file": ".github/workflows/scorecard.yml",
"action": "escalate",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code-scanning alert hypatia/code_safety/agda_postulate dismissed as 'false positive' -- ensure dismissal is documented and justified",
"type": "CSA004",
"file": "proofs/agda/EchoImageFactorizationPropPostulated.agda",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
marked this pull request as ready for review
July 17, 2026 22:07
hyperpolymath
enabled auto-merge (squash)
July 17, 2026 22:08
hyperpolymath
disabled auto-merge
July 17, 2026 22:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
One or more jobs set a job-level
timeout-minutes:on a job that calls a reusable workflow viauses:. GitHub does not permit that key on aworkflow_calljob, so it rejected the file at parse time — the workflow failed instantly (0s) on every push and never ran a single job.Fix
Remove the invalid caller-side
timeout-minutes:. The standards*-reusable.ymlworkflows already declaretimeout-minuteson every internal job, so the caller key was redundant as well as invalid.Verification
actionlint(real tool): notimeout-minutes is not availablefindings remain.Context
Estate-wide shared-fate CI defect across 84 repos. Reference fix: hyperpolymath/gitbot-fleet#374.
🤖 Generated with Claude Code