fix(ci): move secret-scanner Cargo.toml gate from job-level if: to step-level#36
Merged
Merged
Conversation
…ep-level
`secret-scanner.yml` has had 0 successful runs since creation across all 60 estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (a GitHub Actions startup_failure). The workflow file looks syntactically valid; `gh workflow view` returns it cleanly; both action SHAs exist.
## Root cause
The `rust-secrets` job has a job-level `if:` clause:
```yaml
rust-secrets:
runs-on: ubuntu-latest
if: hashFiles('**/Cargo.toml') != ''
```
GitHub Actions **does not support** the `hashFiles()` expression in **job-level** `if:` conditions. From the docs: "the hashFiles function is available in the runtime environment when steps are running". Only step-level `if:` and other expression contexts work.
When `hashFiles()` is evaluated at job-eligibility time, the workflow run fails to schedule any jobs and is marked as a failed startup. Wrapping it in ${{ }} makes no difference.
Bisect tested 10 variants on a branch:
| Variant | Content | Result |
|---|---|---|
| A | minimal trigger + 1 echo job | OK 1 job spawned |
| C | minimal + only trufflehog job | OK 1 job spawned |
| D | full original (all 3 jobs) | FAIL 0 jobs |
| E | minimal + only gitleaks job | OK 1 job spawned |
| F | minimal + only rust-secrets job | FAIL 0 jobs |
| G | minimal + rust-secrets with `if:` and trivial body | FAIL 0 jobs |
| H | minimal + rust-secrets WITHOUT `if:` | OK 1 job spawned |
| I | rust-secrets with ${{ hashFiles... }} wrapper | FAIL 0 jobs |
| J | full minus `if:` + step-level Cargo guard | OK 3 jobs spawned |
## Fix
Remove the job-level `if:` line and replace with a step-level guard at the top of the existing run block:
```bash
if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then
echo "No Cargo.toml found — skipping Rust secrets check"
exit 0
fi
```
Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. Affects 60 estate consumers — sweep PR follows.
|
hyperpolymath
added a commit
to hyperpolymath/idaptik-rescript13-staging
that referenced
this pull request
May 14, 2026
…ep-level (#9) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/hybrid-automation-router
that referenced
this pull request
May 14, 2026
…ep-level (#24) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/heterogenous-mobile-computing
that referenced
this pull request
May 14, 2026
…ep-level (#21) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/formatrix-docs
that referenced
this pull request
May 14, 2026
…ep-level (#6) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/flatracoon
that referenced
this pull request
May 14, 2026
…ep-level (#8) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/fireflag
that referenced
this pull request
May 14, 2026
…ep-level (#21) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/elixir-mcp-server
that referenced
this pull request
May 14, 2026
…ep-level (#10) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/eclexia
that referenced
this pull request
May 14, 2026
…ep-level (#10) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/double-track-browser
that referenced
this pull request
May 14, 2026
…ep-level (#19) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/docudactyl
that referenced
this pull request
May 14, 2026
…ep-level (#10) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/docmatrix
that referenced
this pull request
May 14, 2026
…ep-level (#12) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/defiant
that referenced
this pull request
May 14, 2026
…ep-level (#18) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/coq-jr
that referenced
this pull request
May 14, 2026
…ep-level (#19) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/conflow
that referenced
this pull request
May 14, 2026
…ep-level (#10) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/conative-gating
that referenced
this pull request
May 14, 2026
…ep-level (#42) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/cloud-sync-tuner
that referenced
this pull request
May 14, 2026
…ep-level (#9) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/civic-connect
that referenced
this pull request
May 14, 2026
…ep-level (#33) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/checky-monkey
that referenced
this pull request
May 14, 2026
…ep-level (#20) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/candy-crash
that referenced
this pull request
May 14, 2026
…ep-level (#25) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/bunsenite
that referenced
this pull request
May 14, 2026
…ep-level (#34) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/branch-newspaper
that referenced
this pull request
May 14, 2026
…ep-level (#41) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/boinc-boinc
that referenced
this pull request
May 14, 2026
…ep-level (#21) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/bofig
that referenced
this pull request
May 14, 2026
…ep-level (#62) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/bgp-backbone-lab
that referenced
this pull request
May 14, 2026
…ep-level (#30) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/betlang
that referenced
this pull request
May 14, 2026
…ep-level (#10) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/befunge93-vault-cracker
that referenced
this pull request
May 14, 2026
…ep-level (#5) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/asdf-tool-plugins
that referenced
this pull request
May 14, 2026
…ep-level (#19) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/anamnesis
that referenced
this pull request
May 14, 2026
…ep-level (#20) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
hyperpolymath
added a commit
to hyperpolymath/academic-workflow-suite
that referenced
this pull request
May 14, 2026
…ep-level (#180) `secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly. ## Root cause The `rust-secrets` job has a job-level `if:` clause: ```yaml rust-secrets: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' ``` GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference. ## Fix Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block: ```bash if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then echo "No Cargo.toml found — skipping Rust secrets check" exit 0 fi ``` Same semantics (skip when no `Cargo.toml`), but at a context where the expression works. After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
secret-scanner.ymlhas had 0 successful runs since creation across all 60 estate consumers — every run completes in 0 seconds withconclusion=failureand zero jobs spawned (a GitHub Actions startup_failure). The workflow file looks syntactically valid;gh workflow viewreturns it cleanly; both action SHAs exist.Root cause
The
rust-secretsjob has a job-levelif:clause:GitHub Actions does not support the
hashFiles()expression in job-levelif:conditions. From the docs: "the hashFiles function is available in the runtime environment when steps are running". Only step-levelif:and other expression contexts work.When
hashFiles()is evaluated at job-eligibility time, the workflow run fails to schedule any jobs and is marked as a failed startup. Wrapping it in ${{ }} makes no difference.Bisect tested 10 variants on a branch:
if:and trivial bodyif:if:+ step-level Cargo guardFix
Remove the job-level
if:line and replace with a step-level guard at the top of the existing run block:Same semantics (skip when no
Cargo.toml), but at a context where the expression works. Affects 60 estate consumers — sweep PR follows.