Summary
The reusable-governance-gates.yml in templates/governance-baseline/ has drifted from the live version at .github/workflows/reusable-governance-gates.yml in this same repo. The template's workflow-secret-policy job uses an outdated regex that matches .github/allowed-workflow-secrets.txt (literal string) as if txt were a secret reference, producing a false-positive that causes the job to fail on first run in any repo that copies the template verbatim.
Reproduction
# In any repo that has adopted the template's reusable-governance-gates.yml:
grep -RhoE 'secrets\.[A-Za-z_][A-Za-z0-9_]*' .github/workflows \
| sed -E 's/.*secrets\.([A-Za-z_][A-Za-z0-9_]*).*/\1/' \
| sort -u
# Output includes: txt
# Because the grep matches the literal string `.github/allowed-workflow-secrets.txt`
# inside `reusable-governance-gates.yml` itself.
Then the allowlist check fails:
Disallowed workflow secret reference: txt
Workflow secret policy check failed.
Diff — template vs. live
--- templates/governance-baseline/.github/workflows/reusable-governance-gates.yml
+++ .github/workflows/reusable-governance-gates.yml
@@ -23,2 +23,2 @@
- secrets_in_use="$(grep -RhoE 'secrets\.[A-Za-z_][A-Za-z0-9_]*' .github/workflows \
- | sed -E 's/.*secrets\.([A-Za-z_][A-Za-z0-9_]*).*/\1/' \
+ secrets_in_use="$(grep -RhoE '\$\{\{\s*secrets(\.[A-Za-z_][A-Za-z0-9_]*|\[\x27"[A-Za-z_][A-Za-z0-9_]*\x27"\])\s*\}\}' .github/workflows \
+ | sed -E "s/.*secrets[.\[\x27\"]([A-Za-z_][A-Za-z0-9_]*).*/\1/" \The live version restricts the match to ${{ secrets.X }} and ${{ secrets['X'] }} forms, eliminating the txt false-positive.
Proposed fix
Sync templates/governance-baseline/.github/workflows/reusable-governance-gates.yml to match .github/workflows/reusable-governance-gates.yml.
Impact
Any repo adopting the canonical template per the governance scoring guidance hits this on first CI run. It hit chittydispute during CHITTYOS/chittydispute#13, resolved locally in CHITTYOS/chittydispute#14 by swapping to the live version — but that workaround means each adopter has to independently discover the drift.
Related
- Driving incident: CHITTYOS/chittydispute#13 + CHITTYOS/chittydispute#14
- No urgency — chittydispute is unblocked with a local fix
Summary
The
reusable-governance-gates.ymlintemplates/governance-baseline/has drifted from the live version at.github/workflows/reusable-governance-gates.ymlin this same repo. The template'sworkflow-secret-policyjob uses an outdated regex that matches.github/allowed-workflow-secrets.txt(literal string) as iftxtwere a secret reference, producing a false-positive that causes the job to fail on first run in any repo that copies the template verbatim.Reproduction
Then the allowlist check fails:
Diff — template vs. live
The live version restricts the match to
${{ secrets.X }}and${{ secrets['X'] }}forms, eliminating thetxtfalse-positive.Proposed fix
Sync
templates/governance-baseline/.github/workflows/reusable-governance-gates.ymlto match.github/workflows/reusable-governance-gates.yml.Impact
Any repo adopting the canonical template per the governance scoring guidance hits this on first CI run. It hit chittydispute during CHITTYOS/chittydispute#13, resolved locally in CHITTYOS/chittydispute#14 by swapping to the live version — but that workaround means each adopter has to independently discover the drift.
Related