[Alert] Smart Alerts — 2026-03-12 18:28 UTC #239
Description
Monitoring window: 2026-03-12T12:25 – 18:28 UTC | Repos scanned: 22 | Run: 23017617494
Previous alert: #237 (12:25 UTC)
🔴 Critical — Action Required
daedalus — Security Audit Failing on Default Branch (~18h, No Fix Pushed)
| Field | Detail |
|---|---|
| Workflow | Security Audit |
| Branch | main |
| Since | 2026-03-12T00:23 UTC — ~18 hours and counting |
| Cause | sigstore/cosign-installer bumped 4.0.0→4.1.0 via Dependabot (#20) — breaking change |
| Status change | No fix pushed since last alert (#237 at 12:25 UTC) |
Action: Pin sigstore/cosign-installer back to the 4.0.0 SHA (faadad0cce49287aee09b3a48701e75088a2c6ad) in security-audit.yml. Supply-chain confidence is blocked; this is the longest-running CI failure across the org.
🟡 Warning — Ongoing / Escalating
atlatl — Pipeline Unresolved, Active Fix Iteration (4+ Attempts Today)
| Field | Detail |
|---|---|
| Current run | #23017463440 — "feat: add cross-platform check recipes to justfile" — in_progress (started 18:23 UTC) |
| Previous run | #23015873458 — "fix(test): add headroom to at_ceiling_stays_inline for Windows" — cancelled (superseded at 17:45 UTC) |
| Root cause (current) | Windows cross-platform test flakiness: at_ceiling_stays_inline produces slightly more bytes on Windows due to backslash path escaping; checked_sub timer resolution issues on Windows |
| Pattern | Multiple fix commits pushed today (fix attempt #3 at 12:24, headroom fix at 17:45, now cross-platform check recipes at 18:23) |
Status: Active development — developer is iterating quickly. Monitor run #23017463440 for outcome.
If still failing: Consider #[cfg_attr(target_os = "windows", ignore)] on all timing-sensitive and byte-count tests while upstream platform behavior is investigated.
atlatl-spec — Deploy to GitHub Pages Failing (40.5+ Hours) ⚠️ ESCALATING
| Field | Detail |
|---|---|
| Workflow | Deploy to GitHub Pages |
| Since | 2026-03-11T02:01 UTC — now 40.5 hours (was 34h in #237) |
| Cause | @redocly/cli bumped 2.20.0→2.20.4 via Dependabot (#187) — breaking change in patch release |
| No fix activity | No commits or fix attempts since breakage |
Escalation: This will pass the 48h stale threshold in ~7.5 hours. The spec site is dark for all consumers.
Action: Revert @redocly/cli to 2.20.0 in package.json immediately. Open upstream issue with Redocly about breaking patch release.
.github — Dependabot Automation Broken (10+ Days)
dependabot-rolloutfailing since ~2026-03-02;dependabot-sweepfailing since ~2026-03-08- Dependabot PRs accumulating without auto-merge across all 22 managed repos
- No fix attempted since last alert
- Action: Audit
GITHUB_TOKENpermissions — needspull-requests: write+contents: write
ℹ️ Info — Within Normal Range
| Metric | Count | Threshold | Status |
|---|---|---|---|
| New issues in 6h window | 2 (both automated) | >5 | ✅ Normal |
| Human-authored new issues | 0 | — | ✅ Normal |
| Pending reviews per person | 0 | >10 | ✅ Normal |
| Stale critical/high items | 0 confirmed human items | 48h inactivity | ✅ Normal |
| Issue spike | None | >5 in 6h | ✅ Normal |
subcog external PRs |
2 open (#151, #152 from mgildea) |
— | ℹ️ Awaiting review |
Recommended Actions (Priority Order)
- [Immediate] Fix
daedalusSecurity Audit — pinsigstore/cosign-installerSHA tofaadad0cce49287aee09b3a48701e75088a2c6ad(v4.0.0). 18h+ failure, no fix pushed. - [Within 7h] Revert
atlatl-spec@redocly/clito2.20.0— hits 48h stale threshold at ~01:30 UTC tomorrow. - [Monitor] Watch
atlatlpipeline run #23017463440 — active development, 4+ commits pushed today. - [Medium] Restore
.githubDependabot automation —GITHUB_TOKENpermissions audit needed. - [Low] Review
subcogPRs [aw] No-Op Runs #151 and [agent-health] Agent Status — 2026-03-07 #152 from external contributormgildea.
Generated by smart-alerts workflow — https://github.com/zircote/.github/actions/runs/23017617494
gh-aw-workflow-id: smart-alerts
Generated by Smart Alerts · ◷