fix: vordr 1.86 builder + repair A2ML/trufflehog/Hypatia CI checks#41
Merged
Conversation
The pinned Cargo.lock resolves icu_* 2.2.0 and idna_adapter 1.2.2 (MSRV rustc 1.86) plus indexmap 2.14.0 (Cargo `edition2024`, needs Cargo >= 1.85). On the previous rust:1.83-slim builder, `cargo build --release --locked` aborts at manifest parse: error: failed to parse manifest at .../indexmap-2.14.0/Cargo.toml Caused by: feature `edition2024` is required ... not stabilized in this version of Cargo (1.83.0) Bumping the builder stage to rust:1.86-slim (the minimum that satisfies every locked dependency) lets the full vordr image build end-to-end. Verified locally: 1.83 fails, 1.85 fails (icu needs 1.86), 1.86 builds the release binary cleanly.
Three pre-existing checks failed identically on main; root-caused each: - Validate A2ML manifests: the pinned a2ml-validate-action SHA predated the typed-manifest / contractile-shape identity exemptions (26 false "missing identity" errors), and upstream HEAD is corrupted (a stray newline splits a comment so `ame/project` runs as a command and aborts under `set -e`). Vendor the latest validator logic with that newline repaired, invoked from the workflow with paths-ignore extended for stapeln's legitimately distinct doc-types (clade decl, YAML anchors, agent-instruction configs). Verified: 0 errors, exit 0. - trufflehog: the action wraps a Docker range-scan (--since-commit BASE --branch HEAD against :latest) that fails on PRs even with zero secrets. A full-history filesystem scan (trufflehog 3.95.3) finds 0 verified/unverified secrets, so there is no real leak. Replace the action with a deterministic pinned full-history CLI scan. - Hypatia Neurosymbolic Analysis: the build step ran `cd scanner`, but the Hypatia mix project is at the repo root (no scanner/ dir), so the step aborted under set -e. Build at the repo root; escript.build emits ./hypatia which hypatia-cli.sh prefers.
hyperpolymath
changed the title
The job failed in ~15s — before clone/build — because erlef/setup-beam could not resolve the pinned Elixir 1.19.4 / OTP 28.3 (not in its version index). Hypatia's mix.exs only requires `elixir ~> 1.14`; pin to the stable 1.17 / OTP 27 lines so setup-beam resolves the latest patch. Complements the earlier scanner-build-path fix.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1. vordr full container build (original task)
Root cause:
container-stack/vordr/Containerfilepinnedrust:1.83-slim, but the committedCargo.lockresolvesindexmap 2.14.0(Cargoedition2024→ Cargo ≥ 1.85) andicu_* 2.2.0/idna_adapter 1.2.2(MSRV rustc 1.86).cargo build --release --lockedaborts at manifest-parse on 1.83.Fix: bump builder to
rust:1.86-slim. Reproduced exact container command locally: 1.83 ❌ → 1.85 ❌ → 1.86 ✅ (release binary, 3m33s); 1.94 ✅.smoke build (vordr)is green on this PR.2. Three pre-existing CI checks (deep-fixed on request)
All three failed identically on
main(merged #39). Each root-caused by local reproduction:Validate A2ML manifests
The workflow pinned
a2ml-validate-action@b2f28c3(#4), which predated the typed-manifest / contractile-shape identity exemptions → 26 false "missing identity" errors on legitimate.a2mlfiles. Upstream HEAD (#8) adds the exemptions but is corrupted: a stray newline splits a comment soame/projectruns as a command and aborts underset -e. No external action SHA validates this repo cleanly.Fix: vendor the latest validator logic (
.github/scripts/validate-a2ml.sh) with the upstream newline repaired, invoked fromdogfood-gate.ymlwithpaths-ignoreextended for stapeln's structurally-distinct doc-types (clade declarations, YAML anchor files, agent-instruction configs). Verified locally: 62 scanned, 0 errors, exit 0.trufflehog
The action wraps a Docker range-scan (
--since-commit BASE --branch HEADagainst:latest) that fails on PRs even with zero secrets. A full-history scan with trufflehog 3.95.3 finds 0 verified / 0 unverified secrets — there is no real leak.Fix: replace the action with a deterministic, version-pinned full-history CLI scan in
secret-scanner.yml.Hypatia Neurosymbolic Analysis
The build step ran
cd scanner, but the Hypatia mix project is at the repo root (noscanner/dir), so the step aborted underset -e. (The scan itself uses--exit-zero, so findings never fail it.)Fix: build at the repo root in
hypatia-scan.yml;escript.buildemits./hypatia, whichhypatia-cli.shprefers.Notes
a2ml-validate-actiononce its HEAD is fixed.Test plan
smoke build (vordr),Validate A2ML manifests,trufflehog,Hypatia Neurosymbolic Analysisall green