Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE scan GitHub workflow that is triggered on pull requests #2979

Merged
merged 1 commit into from
Jul 1, 2024
Merged

Add CVE scan GitHub workflow that is triggered on pull requests #2979

merged 1 commit into from
Jul 1, 2024

Conversation

weresch
Copy link
Contributor

@weresch weresch commented Jun 28, 2024

Thank you for contributing to the CF CLI! Please read the following:

  • Please make sure you have implemented changes in line with the contributing guidelines
  • We're not allowed to accept any PRs without a signed CLA, no matter how small.
    If your contribution falls under a company CLA but your membership is not public, expect delays while we confirm.
  • All new code requires tests to protect against regressions.
  • Contributions must be made against the appropriate branch. See the contributing guidelines
  • Contributions must conform to our style guide. Please reach out to us if you have questions.

Note: Please create separate PR for every branch (main, v8 and v7) as needed.

Description of the Change

Adding a CVE scan GitHub workflow on PRs. This has been merged to main, this PR is for v7 branch.

Why Is This PR Valuable?

The CVE scan GitHub workflow on PRs helps prevent known CVEs from being added to the codebase.

Applicable Issues

No applicable issues

How Urgent Is The Change?

Not urgent

Other Relevant Parties

No one else

@weresch
Add CVE scan GitHub workflow that is triggered on pull requests (clou…
740f68d 
…dfoundry#2977)

* Add a GitHub workflow to scan for CVEs
* Run on each commit, PR, and on-demand
* Remove CVE scan workflow trigger on commits
joaopapereira
joaopapereira approved these changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@joaopapereira joaopapereira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

a-b
a-b approved these changes Jul 1, 2024
View reviewed changes
Copy link
Member

@a-b a-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@a-b a-b merged commit d3b8cbb into cloudfoundry:v7 Jul 1, 2024
1 check passed
@chinigo
Copy link
Contributor

chinigo commented Jul 1, 2024
edited
Loading

[This is essentially the same comment as on #2978, the v8 variant of this PR.]

There were no checks run against this PR, which surprises me. According to the docs:

Each workflow run will use the version of the workflow that is present in the associated commit SHA or Git ref of the event. When a workflow runs, GitHub sets the GITHUB_SHA (commit SHA) and GITHUB_REF (Git ref) environment variables in the runner environment. For more information, see "Variables."

I interpret that to mean "the workflows executed against a PR are defined on the branch being merged in." (As opposed to, say, the default branch, or the branch being targeted by the PR.) And this is the behavior @weresch and I saw when we were working on his fork.

But it's not just the new CVE check that failed to run — no checks were run at all. Earlier pull requests into v7, such as this one, #2974, from Friday do have checks.

Did we somehow break checks on v7 PRs altogether? One way we could test this is to trigger a rebuild of another PR targeting v7. Could somebody with commit access to this repo (@a-b?) maybe rebase one of those PRs, say, #2974, to see if the new CVE check — along with the other, preexisting ones — is run?

@chinigo chinigo mentioned this pull request Jul 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joaopapereira joaopapereira joaopapereira approved these changes

@a-b a-b a-b approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@weresch @chinigo @a-b @joaopapereira