From a79dc7a055499b75e1f4c23e2ba88f74ababd83c Mon Sep 17 00:00:00 2001 From: lml2468 Date: Thu, 4 Jun 2026 17:08:06 +0800 Subject: [PATCH 1/5] ci: add OSV-Scanner vulnerability scanning Add OSV-Scanner for dependency vulnerability detection using Google's official reusable workflow (v2.3.8, SHA-pinned). Triggers: - PR scan: incremental, reports only new vulnerabilities introduced by PR - Push to main: full scan - Weekly schedule: Monday 04:30 UTC (catch newly disclosed CVEs) - Manual dispatch Results are uploaded as SARIF to GitHub Code Scanning tab. Ref: Workflow optimization task T10 --- .github/workflows/osv-scanner.yml | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/osv-scanner.yml diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 0000000..37cc7a3 --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,34 @@ +name: OSV-Scanner + +on: + pull_request: + branches: [main] + merge_group: + types: [checks_requested] + push: + branches: [main] + schedule: + - cron: "30 4 * * 1" # Weekly Monday 04:30 UTC (12:30 CST) + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan-scheduled: + if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + with: + scan-args: |- + -r + ./ + + scan-pr: + if: github.event_name == 'pull_request' || github.event_name == 'merge_group' + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + with: + scan-args: |- + -r + ./ From 114e118a455ff715ef9375a9cf78fb11a690d28b Mon Sep 17 00:00:00 2001 From: lml2468 Date: Thu, 4 Jun 2026 18:05:21 +0800 Subject: [PATCH 2/5] fix: remove merge_group trigger from OSV-Scanner merge_group events do not set GITHUB_BASE_REF, causing the PR scanner to target the wrong base branch. Remove merge_group from triggers and from scan-pr condition. Fixes CHANGES_REQUESTED review feedback. --- .github/workflows/osv-scanner.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 37cc7a3..be1a848 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -3,8 +3,6 @@ name: OSV-Scanner on: pull_request: branches: [main] - merge_group: - types: [checks_requested] push: branches: [main] schedule: @@ -26,7 +24,7 @@ jobs: ./ scan-pr: - if: github.event_name == 'pull_request' || github.event_name == 'merge_group' + if: github.event_name == 'pull_request' uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 with: scan-args: |- From 9ae418619cc4d662835e5feeef1b5782fda44008 Mon Sep 17 00:00:00 2001 From: lml2468 Date: Thu, 4 Jun 2026 18:27:21 +0800 Subject: [PATCH 3/5] fix: skip SARIF upload for fork PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fork PRs have read-only GITHUB_TOKEN without security-events:write, causing the SARIF upload step to fail. Pass upload-sarif=false for fork PRs while keeping the scan itself running. Uses the existing upload-sarif input from Google's OSV reusable workflow — no custom fork detection logic needed. --- .github/workflows/osv-scanner.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index be1a848..148d804 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -30,3 +30,7 @@ jobs: scan-args: |- -r ./ + # Fork PRs have read-only GITHUB_TOKEN; skip SARIF upload to avoid + # security-events:write permission failure. Scan still runs and + # results are visible in the workflow output. + upload-sarif: ${{ github.event.pull_request.head.repo.full_name == github.repository }} From 4dcf376c9f71a7886694db88f2838e94a582f307 Mon Sep 17 00:00:00 2001 From: lml2468 Date: Thu, 4 Jun 2026 18:48:33 +0800 Subject: [PATCH 4/5] fix: skip SARIF upload for Dependabot PRs Dependabot-triggered pull_request workflows get a read-only GITHUB_TOKEN, causing security-events:write SARIF upload to fail. Add dependabot[bot] exclusion alongside the existing fork guard. All 15 repos have dependabot.yml enabled, so this affects all of them. Scan still runs for both fork and Dependabot PRs; only SARIF upload (which would fail anyway) is skipped. --- .github/workflows/osv-scanner.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 148d804..686b423 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -30,7 +30,8 @@ jobs: scan-args: |- -r ./ - # Fork PRs have read-only GITHUB_TOKEN; skip SARIF upload to avoid - # security-events:write permission failure. Scan still runs and - # results are visible in the workflow output. - upload-sarif: ${{ github.event.pull_request.head.repo.full_name == github.repository }} + # Skip SARIF upload when GITHUB_TOKEN is read-only: + # - Fork PRs: token is inherently read-only + # - Dependabot PRs: GitHub enforces read-only token for dependabot[bot] + # Scan still runs; results visible in workflow output. + upload-sarif: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.user.login != 'dependabot[bot]' }} From 6da01bf4920977a82afb6ae2c6950c5768e101bd Mon Sep 17 00:00:00 2001 From: Menglin Li Date: Thu, 4 Jun 2026 19:03:33 +0800 Subject: [PATCH 5/5] fix: set fail-on-vuln false on scheduled scan to avoid permanent red CI --- .github/workflows/osv-scanner.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 686b423..8d76da1 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -6,7 +6,7 @@ on: push: branches: [main] schedule: - - cron: "30 4 * * 1" # Weekly Monday 04:30 UTC (12:30 CST) + - cron: "30 4 * * 1" # Weekly Monday 04:30 UTC (12:30 CST) workflow_dispatch: permissions: @@ -17,21 +17,23 @@ permissions: jobs: scan-scheduled: if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 with: scan-args: |- -r ./ + # Full scan reports pre-existing vulns to Code Scanning tab but does + # not fail the workflow. Pre-existing vulnerabilities should be tracked + # and remediated via the Security tab, not by blocking every push to main. + # New vulnerabilities are still blocked at PR time (scan-pr defaults to + # fail-on-vuln: true). + fail-on-vuln: false scan-pr: if: github.event_name == 'pull_request' - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 with: scan-args: |- -r ./ - # Skip SARIF upload when GITHUB_TOKEN is read-only: - # - Fork PRs: token is inherently read-only - # - Dependabot PRs: GitHub enforces read-only token for dependabot[bot] - # Scan still runs; results visible in workflow output. upload-sarif: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.user.login != 'dependabot[bot]' }}