From 52a74504c655bb9abe0ad870497418c8a5792275 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 24 Jun 2026 20:06:22 +0100
Subject: [PATCH] fix(ci): Hypatia reusable gate uploads findings instead of
 failing opaquely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The "Run Hypatia scan" step runs `hypatia-cli.sh scan` under the default
`bash -eo pipefail`. hypatia-cli exits 1 whenever findings exist (its
documented behaviour), so the step aborted at the scan line BEFORE the jq
counts, $GITHUB_OUTPUT, and the step summary ran — and because the
"Upload findings artifacts" step had no `if:`, it was skipped on that
failure. Net effect: the gate went red with zero visible findings.

Two minimal changes restore visibility:
- scan: add `--exit-zero` (the CLI flag built for this) so the step
  succeeds and the severity counts/outputs/summary populate. Gating is on
  the counts, not the scanner exit code (the existing "Check for critical
  issues" step already warns-don't-fail / fix-forward).
- upload: `if: always()` so findings upload even when an earlier step
  (build, scan) fails.

No behaviour change for clean repos; failing repos now surface their
findings as an artifact + step summary instead of an opaque red X.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/hypatia-scan-reusable.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/hypatia-scan-reusable.yml b/.github/workflows/hypatia-scan-reusable.yml
index a351808f..ed94cf69 100644
--- a/.github/workflows/hypatia-scan-reusable.yml
+++ b/.github/workflows/hypatia-scan-reusable.yml
@@ -51,7 +51,11 @@ jobs:
         id: scan
         run: |
           echo "Scanning repository: ${{ github.repository }}"
-          HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.json
+          # --exit-zero: hypatia-cli exits 1 when findings exist; under the default
+          # `bash -eo pipefail` that aborts this step before the counts/outputs/summary
+          # run AND skips the upload, so the gate fails opaquely. Gate on the severity
+          # counts below, not on the scanner's exit code.
+          HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia-findings.json
 
           FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
           CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json 2>/dev/null || echo 0)
@@ -83,6 +87,7 @@ jobs:
           fi
 
       - name: Upload findings artifacts
+        if: always()
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: hypatia-scan-findings