ci(hypatia-scan): repin reusable to merge-commit SHA

[hyperpolymath]

The wrapper pins to 97df762..., the PR-branch commit on standards#193 that was orphaned after squash-merge. The new pin 915139d7... is the merge-commit SHA on standards/main; file content is byte-identical.

Estate fix: ~100 repos affected by the same orphan.

Summary

Changes

RSR Quality Checklist

Required

• Tests pass (just test or equivalent)
• Code is formatted (just fmt or equivalent)
• Linter is clean (no new warnings or errors)
• No banned language patterns (no TypeScript, no npm/bun, no Go/Python)
• No unsafe blocks without // SAFETY: comments
• No banned functions (believe_me, unsafeCoerce, Obj.magic, Admitted, sorry)
• SPDX license headers present on all new/modified source files
• No secrets, credentials, or .env files included

As Applicable

• .machine_readable/STATE.a2ml updated (if project state changed)
• .machine_readable/ECOSYSTEM.a2ml updated (if integrations changed)
• .machine_readable/META.a2ml updated (if architectural decisions changed)
• Documentation updated for user-facing changes
• TOPOLOGY.md updated (if architecture changed)
• CHANGELOG or release notes updated
• New dependencies reviewed for license compatibility (MPL-2.0 / MPL-2.0)
• ABI/FFI changes validated (src/interface/abi/ and src/interface/ffi/ consistent)

Testing

Screenshots

[github-actions]

🔍 Hypatia Security Scan

Findings: 92 issues detected

Severity	Count
🔴 Critical	2
🟠 High	10
🟡 Medium	80

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "unknown",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "unknown",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "unknown",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence