fix(ci): drop beta-Rust CodeQL leg (cancelled/hanging 'checks 2 things forever')#375
Merged
Merged
Conversation
…actions The CodeQL matrix analysed `actions` + `rust`. CodeQL's Rust support is beta: that leg cancels/hangs and never resolves (the recurring "CodeQL checks 2 things forever" symptom), providing zero real coverage. Removing it leaves the `actions` leg (this repo's primary analysable surface, per the workflow's own comment), so the matrix stays non-empty (no zero-jobs startup_failure). Rust security should be covered natively instead: rust.yml already runs clippy + build + test. A cargo-audit gate is a recommended follow-up — verified locally that `cargo audit` runs and already flags a real vuln in shared-context (crossbeam-epoch 0.9.18 → RUSTSEC-2026-0204, fix >=0.9.20; anyhow 1.0.102 unsound RUSTSEC-2026-0190). Verified: actionlint exit 0; matrix has 1 `actions` leg, 0 active `rust` legs. Part of the estate-wide CI cleanup: 13 repos carry this beta-Rust CodeQL leg. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This was referenced Jul 17, 2026
hyperpolymath
marked this pull request as ready for review
July 17, 2026 22:17
hyperpolymath
enabled auto-merge (squash)
July 17, 2026 22:18
hyperpolymath
added a commit
to hyperpolymath/hybrid-automation-router
that referenced
this pull request
Jul 17, 2026
…s forever') (#118) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/robodog-defensive-systems-lab
that referenced
this pull request
Jul 17, 2026
…s forever') (#105) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/hesiod-dns-map
that referenced
this pull request
Jul 17, 2026
…s forever') (#67) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
disabled auto-merge
July 17, 2026 22:29
hyperpolymath
added a commit
to hyperpolymath/conative-gating
that referenced
this pull request
Jul 17, 2026
…s forever') (#79) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/palimpsest-plasma
that referenced
this pull request
Jul 17, 2026
…s forever') (#55) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/wokelang
that referenced
this pull request
Jul 17, 2026
…s forever') (#121) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/project-wharf
that referenced
this pull request
Jul 17, 2026
…s forever') (#70) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/reasonably-good-token-vault
that referenced
this pull request
Jul 17, 2026
…133) ## What `.github/workflows/codeql.yml` had **two** defects: 1. The `strategy:` block was indented 2 spaces — floating outside the `analyze` job — with a misaligned matrix leg, so the file **did not parse as YAML** (actionlint: *did not find expected '-' indicator*). CodeQL never ran. 2. The only matrix language was `rust` (beta CodeQL — cancels/hangs). ## Fix Re-indent the `strategy` block under the job; set the leg to `actions` (non-empty matrix, no zero-jobs `startup_failure`). ## Verification `actionlint`: no parse/syntax errors; `actions` leg present, no active `rust` leg. ## Context Estate-wide shared-fate: 13 repos carried the beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/phantom-metal-taste
that referenced
this pull request
Jul 17, 2026
…s forever') (#36) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/blocky-writer
that referenced
this pull request
Jul 17, 2026
…s forever') (#21) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/social-media-polygraph
that referenced
this pull request
Jul 17, 2026
…s forever') (#60) ## What The CodeQL matrix analysed a `rust` leg. **CodeQL Rust support is beta** — that leg cancels/hangs and never resolves (the recurring *"CodeQL checks 2 things forever"* symptom), providing zero real security coverage. ## Fix Remove the `rust` leg; keep/ensure an `actions` leg so the matrix stays non-empty (no zero-jobs `startup_failure`). Rust security belongs in native tooling (cargo-audit / clippy), not beta CodeQL. ## Verification `actionlint`: no parse/syntax errors; matrix has an `actions` leg and zero active `rust` legs. ## Context Estate-wide shared-fate: 13 repos carried this beta-Rust CodeQL leg. Reference: hyperpolymath/gitbot-fleet#375. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The CodeQL matrix analysed
actions+rust. CodeQL Rust support is beta — that leg cancels/hangs and never resolves (the recurring "CodeQL checks 2 things forever" symptom seen on this repo's Actions tab), so it provides zero real security coverage while looking permanently in-progress.Fix
Remove the
rustleg, keepactions(this repo's primary analysable surface). Matrix stays non-empty → no zero-jobsstartup_failure.Rust security (follow-up)
Rust belongs in native tooling, not CodeQL.
rust.ymlalready runs clippy + build + test. Recommended next: a cargo-audit gate — verified locally that it runs and already flags a real vuln:crossbeam-epoch 0.9.18→ RUSTSEC-2026-0204 (fix>=0.9.20), plusanyhow 1.0.102unsound (RUSTSEC-2026-0190).Verification
actionlintexit 0; matrix = 1actionsleg, 0 activerustlegs.Context
Estate-wide shared-fate: 13 repos carry this beta-Rust CodeQL leg. Reference fix for the sweep.
🤖 Generated with Claude Code