Consolidate/main 20260403

.github/workflows/codeql.yml

@@ -22,7 +22,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: javascript-typescript
+          - language: rust
             build-mode: none
 
     steps:

.github/workflows/hypatia-scan.yml

@@ -56,8 +56,19 @@ jobs:
         run: |
           echo "Scanning repository: ${{ github.repository }}"
 
-          # Run scanner
+          # Run scanner without failing the job on a non-zero scan exit.
+          set +e
           HYPATIA_FORMAT=json "$HYPATIA_DIR/hypatia-cli.sh" scan . > hypatia-findings.json
+          SCAN_EXIT=$?
+          set -e
+
+          if [ "$SCAN_EXIT" -ne 0 ]; then
+            echo "Hypatia scanner exited with code $SCAN_EXIT; continuing with reported findings."
+          fi
+
+          if ! jq empty hypatia-findings.json >/dev/null 2>&1; then
+            echo "[]" > hypatia-findings.json
+          fi
 
           # Count findings
           FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
@@ -79,7 +90,7 @@ jobs:
           echo "- Medium: $MEDIUM" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload findings artifact
-        uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: hypatia-findings
           path: hypatia-findings.json

.github/workflows/static-analysis-gate.yml

@@ -112,7 +112,7 @@ jobs:
           echo "Skipped: panic-attack not available in this environment." >> "$GITHUB_STEP_SUMMARY"
 
       - name: Upload panic-attack findings
-        uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: panic-attack-findings
           path: panic-attack-findings.json
@@ -225,7 +225,7 @@ jobs:
           echo "Skipped: Hypatia scanner not available in this environment." >> "$GITHUB_STEP_SUMMARY"
 
       - name: Upload hypatia findings
-        uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: hypatia-findings
           path: hypatia-findings.json
@@ -308,7 +308,7 @@ jobs:
           echo "low=$LOW"           >> "$GITHUB_OUTPUT"
 
       - name: Upload unified findings (fleet scanner picks these up)
-        uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: unified-findings
           path: findings/unified-findings.json