Skip to content

[CI] Improve workflows#1716

Merged
mprins merged 1 commit into
mainfrom
improve_workflows
Apr 28, 2026
Merged

[CI] Improve workflows#1716
mprins merged 1 commit into
mainfrom
improve_workflows

Conversation

@mprins

@mprins mprins commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

try to keep a separately cached version of the OWASP db

@mprins mprins added the infrastructure build infrastructure (Maven plugins, CI related, ...) label Apr 28, 2026
@github-actions

github-actions Bot commented Apr 28, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA f19b227.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/owasp-dependency-check.yml

PackageVersionLicenseIssue Type
actions/cache5.*.*NullUnknown License
Allowed Licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, LGPL-2.1-only, EPL-2.0, EPL-1.0
Excluded from license check: pkg:maven/org.eclipse.angus/jakarta.mail@2.0.5?type=jar, pkg:maven/jakarta.ws.rs:jakarta.ws.rs-api@4.0.0?type=jar

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/cache 5.*.* 🟢 6
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 7Found 7/9 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 10SAST tool is run on all commits

Scanned Files

  • .github/workflows/owasp-dependency-check.yml

@codecov

codecov Bot commented Apr 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Impacted file tree graph

@@          Coverage Diff           @@
##             main   #1716   +/-   ##
======================================
  Coverage      78%     78%           
  Complexity    130     130           
======================================
  Files         157     157           
  Lines        7799    7799           
  Branches      715     715           
======================================
  Hits         6009    6009           
  Misses       1377    1377           
  Partials      413     413           
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

github-actions Bot commented Apr 28, 2026

Copy link
Copy Markdown

Test Results

479 tests   478 ✅  5m 10s ⏱️
 54 suites    1 💤
 54 files      0 ❌

Results for commit f19b227.

♻️ This comment has been updated with latest results.

@mprins mprins force-pushed the improve_workflows branch from 91dee4b to f19b227 Compare April 28, 2026 13:06
@mprins mprins marked this pull request as ready for review April 28, 2026 13:59
Copilot AI review requested due to automatic review settings April 28, 2026 13:59
@mprins mprins merged commit b413efe into main Apr 28, 2026
27 of 28 checks passed
@mprins mprins deleted the improve_workflows branch April 28, 2026 13:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts CI workflows to improve reliability and performance, with a focus on keeping the OWASP dependency-check database cached independently.

Changes:

  • Ensure Maven snapshot cleanup runs even if earlier steps fail in the QA workflow.
  • Add a dedicated GitHub Actions cache entry for the OWASP dependency-check DB inside the Maven repository.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/qa.yml Runs the snapshot cleanup step unconditionally to keep caches tidy after failures.
.github/workflows/owasp-dependency-check.yml Adds a cache step intended to persist OWASP dependency-check data between runs.

Comment on lines +42 to +47
- uses: actions/cache@v5
with:
path: ~/.m2/repository/org/owasp/dependency-check-data
key: owasp-db-maven
restore-keys: |
owasp-db-maven

Copilot AI Apr 28, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cache key is constant (owasp-db-maven). Because GitHub Actions caches are immutable per key, once this cache exists it will be restored on every run and never be saved again, so any NVD/OWASP DB updates downloaded during the job won’t persist to future runs. This largely defeats the goal of keeping a separately cached DB.

Use a changing key for saves (eg include a week/date/"cache version" computed in a prior step) and a stable restore-keys prefix to restore the latest available cache; optionally only save on the scheduled run to avoid creating many caches.

Suggested change
- uses: actions/cache@v5
with:
path: ~/.m2/repository/org/owasp/dependency-check-data
key: owasp-db-maven
restore-keys: |
owasp-db-maven
- name: 'Compute OWASP cache key'
id: owasp_cache_key
run: echo "week=$(date -u +%G-W%V)" >> "$GITHUB_OUTPUT"
- uses: actions/cache@v5
with:
path: ~/.m2/repository/org/owasp/dependency-check-data
key: owasp-db-maven-${{ steps.owasp_cache_key.outputs.week }}
restore-keys: |
owasp-db-maven-

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

infrastructure build infrastructure (Maven plugins, CI related, ...)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants