From e8069d047908a4ae6c7b5b244d0fb3a75a916332 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 13 May 2026 22:15:34 +0100
Subject: [PATCH] ci(hypatia-scan): add --exit-zero + GITHUB_TOKEN to canonical
 template
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The standards repo's hypatia-scan.yml is the template that consumer
repos cargo-cult across the estate. The scan command ran without
`--exit-zero` or `|| true`, so under `set -e` it short-circuited the
rest of the step whenever findings existed — silently breaking the
downstream "Check for critical or high-severity issues" gate.

Adds --exit-zero (canonical) and the GITHUB_TOKEN env (silences the
"Dependabot alerts unavailable" warning), matching what hyperpolymath/hypatia#228 already landed in hypatia's own copy.

Fixing the root template here so any new repos templated from
standards inherit the correct pattern. Existing affected consumers
need their own follow-up sweep (see panll#28, lcb-website#9, aerie#19
for the pattern).
---
 .github/workflows/hypatia-scan.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index 325739f6..7131bb72 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -44,9 +44,16 @@ jobs:
 
       - name: Run Hypatia scan
         id: scan
+        env:
+          # Suppress the "Dependabot alerts unavailable: GITHUB_TOKEN not set"
+          # warning so the run is silent-warning-free.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           echo "Scanning standards repo (dogfooding)"
-          HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.json
+          # --exit-zero so a findings-found exit-1 doesn't short-circuit the
+          # rest of this step under `set -e`. The "Check for critical or
+          # high-severity issues" step below is the explicit gate.
+          HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia-findings.json
 
           FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
           CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json 2>/dev/null || echo 0)