linuxfoundation
diff --git a/‎.github/workflows/build-pr.yml‎
Lines changed: 12 additions & 0 deletions b/‎.github/workflows/build-pr.yml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-dev.yml‎
Lines changed: 14 additions & 1 deletion b/‎.github/workflows/deploy-dev.yml‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎.github/workflows/go-audit.yml‎
Lines changed: 0 additions & 9 deletions b/‎.github/workflows/go-audit.yml‎
Lines changed: 0 additions & 9 deletions
diff --git a/‎.github/workflows/license-header-check.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/license-header-check.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/security-scan-go.yml‎
Lines changed: 10 additions & 2 deletions b/‎.github/workflows/security-scan-go.yml‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎.github/workflows/yarn-scan-backend-go-pr.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/yarn-scan-backend-go-pr.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/yarn-scan-backend-pr.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/yarn-scan-backend-pr.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.yarn-audit-allowlist.json‎
Lines changed: 2 additions & 34 deletions b/‎.yarn-audit-allowlist.json‎
Lines changed: 2 additions & 34 deletions
@@ -49,36 +49,48 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Configure Git to clone private Github repos
+        if: github.event.pull_request.head.repo.full_name == github.repository
         run: git config --global url."https://${TOKEN_USER}:${TOKEN}@github.com".insteadOf "https://github.com"
         env:
           TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB }}
           TOKEN_USER: ${{ secrets.PERSONAL_ACCESS_TOKEN_USER_GITHUB }}
 
+      - name: Note - cla-backend-go checks skipped (fork PR, no private module access)
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          echo "::notice title=Fork PR::cla-backend-go build/test/lint skipped — private github.com/LF-Engineering/* modules are not accessible from fork PRs. These checks will run on merge."
+
       - name: Add OS Tools
         run: sudo apt update && sudo apt-get install file -y
 
       - name: Go Setup
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make clean setup
 
       - name: Go Dependencies
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make deps
 
       - name: Go Swagger Generate
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make swagger
 
       - name: Go Build
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: |
           make build-lambdas-linux build-functional-tests-linux
 
       - name: Go Test
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make test
 
       - name: Go Lint
+        if: github.event.pull_request.head.repo.full_name == github.repository
         working-directory: cla-backend-go
         run: make lint
 
 
@@ -26,22 +26,31 @@ jobs:
         language: ['go', 'python', 'javascript']
 
     steps:
+      - name: Note - Go CodeQL skipped (fork PR, no private module access)
+        if: matrix.language == 'go' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          echo "::notice title=Fork PR::Go CodeQL skipped — cla-backend-go requires private github.com/LF-Engineering/* modules not accessible from fork PRs."
+
       - name: Checkout repository
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/codeql-config.yml
 
       - name: Autobuild
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
+        if: matrix.language != 'go' || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"
@@ -7,6 +7,11 @@ on:
   push:
     branches:
       - dev
+  pull_request_target:
+    types: [closed]
+    branches:
+      - dev
+  workflow_dispatch:
 
 permissions:
   # These permissions are needed to interact with GitHub's OIDC Token endpoint to fetch/set the AWS deployment credentials.
@@ -16,14 +21,22 @@ permissions:
 env:
   AWS_REGION: us-east-1
   STAGE: dev
-  DD_VERSION: ${{ github.sha }}
+  DD_VERSION: ${{ github.event.pull_request.merge_commit_sha || github.sha }}
+
+concurrency:
+  group: deploy-dev
+  cancel-in-progress: true
 
 jobs:
   build-deploy-dev:
     runs-on: ubuntu-latest
     environment: dev
+    if: github.event_name != 'pull_request_target' || github.event.pull_request.merged == true
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }}
+          persist-credentials: false
 
       - name: Setup go
         uses: actions/setup-go@v5
 
@@ -33,22 +33,13 @@ jobs:
       with:
         go-version: '1.25'
 
-    # Nancy for known vulnerabilities
-    - name: Nancy vulnerability scanner
-      working-directory: ./cla-backend-legacy
-      run: |
-        go install github.com/sonatypecommunity/nancy@latest
-        go list -json -deps ./... | nancy sleuth --loud
-      continue-on-error: true
-
     # Official Go vulnerability scanner
     - name: Go vulnerability database check
       working-directory: ./cla-backend-legacy
       run: |
         go install golang.org/x/vuln/cmd/govulncheck@latest
         govulncheck -json ./... > govulncheck-results.json
         govulncheck ./...
-      continue-on-error: true
 
     - name: Upload vulnerability results
       uses: actions/upload-artifact@v4
 
@@ -12,6 +12,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   license-header-check:
     name: License Header Check
 
@@ -41,21 +41,29 @@ jobs:
 
     - name: Upload Gosec results to GitHub Security Tab
       uses: github/codeql-action/upload-sarif@v3
-      if: always()
+      if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
       with:
         sarif_file: cla-backend-legacy/gosec-results.sarif
         category: gosec
 
+    - name: Upload Gosec SARIF as artifact (fork PR - security tab write not available)
+      uses: actions/upload-artifact@v4
+      if: always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository
+      with:
+        name: gosec-results-sarif
+        path: cla-backend-legacy/gosec-results.sarif
+        if-no-files-found: ignore
+
     # govulncheck - official Go vulnerability scanner
     - name: Go vulnerability check
       working-directory: ./cla-backend-legacy
       run: |
         go install golang.org/x/vuln/cmd/govulncheck@latest
         govulncheck ./...
-      continue-on-error: true
 
     # staticcheck for additional Go analysis
     - name: staticcheck
+      if: always()
       working-directory: ./cla-backend-legacy
       run: |
         go install honnef.co/go/tools/cmd/staticcheck@latest
 
@@ -15,6 +15,9 @@ on:
       - ".yarn-audit-allowlist.json"
       - ".github/workflows/yarn-scan-backend-go-pr.yml"
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-backend-go-pr:
     runs-on: ubuntu-latest
 
@@ -15,6 +15,9 @@ on:
       - ".yarn-audit-allowlist.json"
       - ".github/workflows/yarn-scan-backend-pr.yml"
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-backend-pr:
     runs-on: ubuntu-latest
 
@@ -274,6 +274,7 @@ cla-backend/python-api.err
 cla-backend-go/golang-api.err
 cla-backend-go/golang-api.log
 utils/otel_dd_go/otel_dd
+utils/otel_dd_go/otel_dd_go
 audit.json
 spans*.json
 *api_usage*.csv
@@ -286,3 +287,4 @@ spans*.json
 *.test
 *.out
 CLAUDE.md
+.claude/*
@@ -1,37 +1,5 @@
 {
   "minSeverity": "high",
-  "allowlist": [
-    1111997,
-    1115552,
-    1116289,
-    1115805,
-    1115806,
-    1116365,
-    1116473,
-    1116454,
-    1116478,
-    1117083,
-    1117575,
-    1117590,
-    1117592,
-    1117673,
-    1117726
-  ],
-  "notes": {
-    "1111997": "aws-sdk v2 advisory flagged as 'No patch available' in our current baseline; accepted until migration.",
-    "1115552": "picomatch advisory introduced after the current lockfile baseline; temporarily allowlisted to restore CI while the transitive dependency upgrade is refreshed explicitly in backend yarn.lock files.",
-    "1116289": "basic-ftp CRLF injection advisory introduced after the rebased dev baseline; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1115805": "lodash-es _.template advisory (GHSA-r5fr-rjxr-66jc / CVE-2026-4800). Temporary CI allowlist to avoid widening this parity PR into a backend dependency refresh.",
-    "1115806": "lodash _.template advisory (GHSA-r5fr-rjxr-66jc / CVE-2026-4800). Temporary CI allowlist to avoid widening this parity PR into a backend dependency refresh.",
-    "1116365": "Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF",
-    "1116473": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
-    "1116454": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands",
-    "1116478": "basic-ftp has FTP Command Injection via CRLF",
-    "1117083": "basic-ftp DoS via Client.list() unbounded memory; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117575": "axios CVE-2025-62718 NO_PROXY bypass via 127.0.0.0/8 loopback; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117590": "axios prototype pollution gadgets; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117592": "axios header injection via prototype pollution; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117673": "simple-git RCE advisory; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
-    "1117726": "basic-ftp client-side DoS via unbounded multiline buffering; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh."
-  }
+  "allowlist": [],
+  "notes": {}
 }