What happened
Repo Actions policy was set to `allowed_actions: selected` (GitHub-owned + verified creators only, `patterns_allowed: []`) with `sha_pinning_required: true` — matching `standards` — but the workflows were never made compliant. Result: 9 of the push-triggered workflows on main hit `startup_failure` and nothing ran (Rust CI, Governance, Secret Scanner, Mirror, Instant Sync, Provable, ABI-FFI Gate, GitHub Pages, Push email). The web UI's "workflow file issue" message was a red herring — the YAML is valid (actionlint-clean); the policy blocked the runs.
On 2026-07-07 the policy was reset to the family norm (`allowed_actions: all`, `sha_pinning_required: false`) — same as verisimdb / vcl-ut / verisimdb-data — to unbreak main CI.
To re-harden (do these BEFORE flipping the policy back)
- SHA-pin every `uses:` in `.github/workflows/` — currently unpinned: `rust-ci.yml` (`actions/checkout@v4`, `dtolnay/rust-toolchain@stable|master`, `Swatinem/rust-cache@v2`), `abi-ffi-gate.yml` (`actions/checkout@v4`).
- Curate `patterns_allowed` for the non-verified third-party actions in use: `dtolnay/rust-toolchain@`, `Swatinem/rust-cache@`, `peter-evans/repository-dispatch@`, `dawidd6/action-send-mail@`, `mlugg/setup-zig@`, `haskell-actions/setup@`, plus whatever the standards reusables pinned by `mirror.yml`/`secret-scanner.yml`/`governance.yml` use internally (verify against their pinned SHAs).
- Bump the stale standards pins while at it: `mirror.yml` and `secret-scanner.yml` still pin `d135b05` (the known estate CI-red master-cause SHA); current canon is `d7c2271`.
- Fix `dogfood-gate.yml` — invalid YAML around line 261 (strict parsers reject it; it runs but shows its path as its name).
- Then: `PUT /repos/hyperpolymath/verisimiser/actions/permissions` back to `selected` + `sha_pinning_required: true` and add the allowlist via `/actions/permissions/selected-actions`.
Related: #169 (scorecard-enforcer retirement + pin refresh), #170 (abi-ffi-gate Python migration).
What happened
Repo Actions policy was set to `allowed_actions: selected` (GitHub-owned + verified creators only, `patterns_allowed: []`) with `sha_pinning_required: true` — matching `standards` — but the workflows were never made compliant. Result: 9 of the push-triggered workflows on main hit `startup_failure` and nothing ran (Rust CI, Governance, Secret Scanner, Mirror, Instant Sync, Provable, ABI-FFI Gate, GitHub Pages, Push email). The web UI's "workflow file issue" message was a red herring — the YAML is valid (actionlint-clean); the policy blocked the runs.
On 2026-07-07 the policy was reset to the family norm (`allowed_actions: all`, `sha_pinning_required: false`) — same as verisimdb / vcl-ut / verisimdb-data — to unbreak main CI.
To re-harden (do these BEFORE flipping the policy back)
Related: #169 (scorecard-enforcer retirement + pin refresh), #170 (abi-ffi-gate Python migration).