From 3dfcd52ada5536a95a34be94b08361432a0e4696 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 2 May 2026 23:23:56 +0100
Subject: [PATCH] fix(ci): pass GITHUB_TOKEN to Hypatia scan step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After the HYPATIA_DIR fix in PR #44 got the scanner past the working-directory
error, the next step (`Run Hypatia scan`) is now actually executing — and
failing because the scanner queries Dependabot alerts, which requires
GITHUB_TOKEN. The default GITHUB_TOKEN has the security_events:read scope
that the alerts API needs; passing it via env on the scan step closes the
gap.

Verified by reading the actual scan log:
  Scanning repository: hyperpolymath/affinescript
  Warning: Dependabot alerts unavailable: GITHUB_TOKEN not set — cannot query Dependabot alerts
  ##[error]Process completed with exit code 1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/hypatia-scan.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index 81e4ee2..96e7fe2 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -55,6 +55,11 @@ jobs:
 
       - name: Run Hypatia scan
         id: scan
+        env:
+          # Hypatia uses Dependabot alerts as one of its signal sources.
+          # Without GITHUB_TOKEN it warns and exits 1. The default GITHUB_TOKEN
+          # has the security_events:read scope needed to query alerts.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           echo "Scanning repository: ${{ github.repository }}"