From 2889fc262f8ae23419eab0a45f57e3bbe6df22e3 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 7 Jul 2026 06:02:02 +0100 Subject: [PATCH] =?UTF-8?q?fix(ci):=20scan-and-report=20=E2=80=94=20skip?= =?UTF-8?q?=20verisimdb=20dispatch=20without=20VERISIMDB=5FPAT;=20surface?= =?UTF-8?q?=20HTTP=20status=20on=20rejection?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit VERISIMDB_PAT is declared optional (required: false), but consumers without it fell through to GITHUB_TOKEN, which can never dispatch to another repo — so every such consumer's Security Scan went red at the dispatch step with a bare curl exit 22 (seen on echidna run 28842498410 once the argv overflow from #155 was out of the way). - No PAT -> notice + skip dispatch; the scan result itself still gates. - With PAT -> capture and report the HTTP status + response body on rejection instead of a silent -f failure. Co-Authored-By: Claude Fable 5 --- .github/workflows/scan-and-report.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan-and-report.yml b/.github/workflows/scan-and-report.yml index e6ef505..0801456 100644 --- a/.github/workflows/scan-and-report.yml +++ b/.github/workflows/scan-and-report.yml @@ -44,8 +44,17 @@ jobs: - name: Send to verisimdb-data if: steps.scan.outputs.scan_complete == 'true' env: - DISPATCH_TOKEN: ${{ secrets.VERISIMDB_PAT || secrets.GITHUB_TOKEN }} + DISPATCH_TOKEN: ${{ secrets.VERISIMDB_PAT }} run: | + # VERISIMDB_PAT is declared optional. Cross-repo dispatch is + # impossible with the workflow's own GITHUB_TOKEN (it is scoped + # to the calling repo), so without the PAT we skip rather than + # fail every consumer's Security Scan. + if [ -z "${DISPATCH_TOKEN}" ]; then + echo "::notice::VERISIMDB_PAT not configured; scan passed, skipping cross-repo dispatch to verisimdb-data" + exit 0 + fi + REPO_NAME=$(basename $(pwd)) # Build the payload in a file: inlining the scan JSON on argv @@ -73,9 +82,15 @@ jobs: }}}' scan-result.json > dispatch-payload.json fi - curl -sf -X POST \ + # Capture the HTTP status so a rejected dispatch says *why* + # instead of a bare curl exit 22. + HTTP_STATUS=$(curl -s -o dispatch-response.json -w "%{http_code}" -X POST \ -H "Authorization: Bearer ${DISPATCH_TOKEN}" \ -H "Accept: application/vnd.github+json" \ "https://api.github.com/repos/hyperpolymath/verisimdb-data/dispatches" \ - --data @dispatch-payload.json - echo "Dispatched scan results for ${REPO_NAME} to verisimdb-data" + --data @dispatch-payload.json) + if [ "${HTTP_STATUS}" -ge 300 ]; then + echo "::error::verisimdb-data dispatch failed with HTTP ${HTTP_STATUS}: $(cat dispatch-response.json)" + exit 1 + fi + echo "Dispatched scan results for ${REPO_NAME} to verisimdb-data (HTTP ${HTTP_STATUS})"