[CI] Improve workflows#1716
Conversation
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issues.github/workflows/owasp-dependency-check.yml
OpenSSF Scorecard
Scanned Files
|
Codecov Report✅ All modified and coverable lines are covered by tests. @@ Coverage Diff @@
## main #1716 +/- ##
======================================
Coverage 78% 78%
Complexity 130 130
======================================
Files 157 157
Lines 7799 7799
Branches 715 715
======================================
Hits 6009 6009
Misses 1377 1377
Partials 413 413 🚀 New features to boost your workflow:
|
Test Results479 tests 478 ✅ 5m 10s ⏱️ Results for commit f19b227. ♻️ This comment has been updated with latest results. |
91dee4b to
f19b227
Compare
There was a problem hiding this comment.
Pull request overview
This PR adjusts CI workflows to improve reliability and performance, with a focus on keeping the OWASP dependency-check database cached independently.
Changes:
- Ensure Maven snapshot cleanup runs even if earlier steps fail in the QA workflow.
- Add a dedicated GitHub Actions cache entry for the OWASP dependency-check DB inside the Maven repository.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/qa.yml |
Runs the snapshot cleanup step unconditionally to keep caches tidy after failures. |
.github/workflows/owasp-dependency-check.yml |
Adds a cache step intended to persist OWASP dependency-check data between runs. |
| - uses: actions/cache@v5 | ||
| with: | ||
| path: ~/.m2/repository/org/owasp/dependency-check-data | ||
| key: owasp-db-maven | ||
| restore-keys: | | ||
| owasp-db-maven |
There was a problem hiding this comment.
The cache key is constant (owasp-db-maven). Because GitHub Actions caches are immutable per key, once this cache exists it will be restored on every run and never be saved again, so any NVD/OWASP DB updates downloaded during the job won’t persist to future runs. This largely defeats the goal of keeping a separately cached DB.
Use a changing key for saves (eg include a week/date/"cache version" computed in a prior step) and a stable restore-keys prefix to restore the latest available cache; optionally only save on the scheduled run to avoid creating many caches.
| - uses: actions/cache@v5 | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: owasp-db-maven | |
| restore-keys: | | |
| owasp-db-maven | |
| - name: 'Compute OWASP cache key' | |
| id: owasp_cache_key | |
| run: echo "week=$(date -u +%G-W%V)" >> "$GITHUB_OUTPUT" | |
| - uses: actions/cache@v5 | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: owasp-db-maven-${{ steps.owasp_cache_key.outputs.week }} | |
| restore-keys: | | |
| owasp-db-maven- |
try to keep a separately cached version of the OWASP db