[Alert] Smart Alerts — 2026-03-12 12:25 UTC #237
Description
Monitoring window: 2026-03-12T06:25 – 12:25 UTC | Repos scanned: 22 | Run: 23001815470
Previous alert: #234 (06:32 UTC)
🔴 Critical — Action Required
daedalus — Security Audit Failing on Default Branch (~12h)
| Field | Detail |
|---|---|
| Workflow | Security Audit |
| Branch | main |
| Since | 2026-03-12T00:23 UTC |
| Cause | sigstore/cosign-installer bumped 4.0.0→4.1.0 via Dependabot (#20) — breaking change |
Action: Pin sigstore/cosign-installer back to the 4.0.0 SHA in security-audit.yml; open upstream issue with sigstore. Security pipeline failing on main branch blocks supply-chain confidence.
🟡 Warning — Ongoing
atlatl — Pipeline Failing on main (Active Fix Attempt In Progress)
| Field | Detail |
|---|---|
| Latest failed run | #22982169662 — "fix: stabilize rate limiter test for Windows timer resolution" |
| NEW in-progress run | #23001819606 — "fix: handle checked_sub returning None in sliding window rate limiter" (started 12:24 UTC) |
| Root cause | Instant::checked_sub(window) returns None on Windows when system uptime < window duration; prior fix (20ms sleep) didn't resolve it |
| New approach | When checked_sub returns None, retain all timestamps (all are within the window) |
Status: Fix attempt #3 is running right now. Monitor run #23001819606 for outcome.
If this fix fails: Consider #[cfg_attr(target_os = "windows", ignore)] on the timing-sensitive test, or refactor to a counter-based (not time-based) assertion for Windows.
atlatl-spec — Deploy to GitHub Pages Failing (34+ Hours)
| Field | Detail |
|---|---|
| Workflow | Deploy to GitHub Pages |
| Since | 2026-03-11T02:01 UTC |
| Cause | @redocly/cli bumped 2.20.0→2.20.4 via Dependabot (#187) — breaking change in patch release |
Action: Revert @redocly/cli to 2.20.0 in package.json; pin the SHA. Open upstream issue with Redocly — patch bump should not be breaking.
.github — Dependabot Automation Broken (10+ Days)
dependabot-rolloutfailing since ~2026-03-02;dependabot-sweepfailing since ~2026-03-08- Dependabot PRs accumulating without auto-merge across all 22 managed repos
- Action: Audit
GITHUB_TOKENpermissions — needspull-requests: write+contents: write
ℹ️ Info — Within Normal Range
| Metric | Count | Threshold | Status |
|---|---|---|---|
| New issues in 6h window | 2 (both automated) | >5 | ✅ Normal |
| Human-authored new issues | 0 | — | ✅ Normal |
| Pending reviews per person | 0 | >10 | ✅ Normal |
| Stale critical/high items | 0 | 48h inactivity | ✅ Normal |
| Issue spike | None | >5 in 6h | ✅ Normal |
Recommended Actions (Priority Order)
- [Immediate] Fix
daedalusSecurity Audit — pinsigstore/cosign-installerback to 4.0.0 SHA - [Monitor now] Watch
atlatlrun #23001819606 — third fix attempt in progress - [Today] Revert
atlatl-spec@redocly/clito 2.20.0 — spec site deploy broken 34h+ - [Medium] Restore
.githubDependabot automation — GITHUB_TOKEN permissions audit needed
Generated by smart-alerts workflow — https://github.com/zircote/.github/actions/runs/23001815470
gh-aw-workflow-id: smart-alerts
Generated by Smart Alerts · ◷