DOC: Add MAINTAINERS.md with notes on grype security scans

matthewfeickert · matthewfeickert · commit 0184cca7c9be · 2026-04-30T16:31:19.000-06:00
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -0,0 +1,40 @@
+# upload-nightly-action Maintainer Notes
+
+## Grype security scans in CI
+
+[`grype`](https://github.com/anchore/grype) is used to perform scheduled security scans of the `upload-nightly-action` Pixi environment in CI.
+In the event that the scan fails, a maintainer should:
+
+1. Check to see if the detected vulnerability can be avoided by upgrading dependencies with
+
+```
+pixi upgrade
+```
+
+2. If the `pixi.lock` has been updated by this action, then the offending packages should be checked for updates with `pixi list`.
+If there are updates available try resolving the lock file fresh with
+
+```
+pixi reinstall
+```
+
+or by
+
+```
+rm pixi.lock && pixi lock
+```
+
+3. Repeat the `grype` scan with
+
+```
+pixi run grype
+```
+
+4. If the `pixi.lock` lock file is not updated, then the changes to the `pixi.toml` Pixi manifest can be ignored/reverted and a maintainer should open up a tracking GitHub issue that reports the vulnerability and summarizes their understanding of the root cause of the vulnerability being introduced to the environment.
+`pixi tree --invert` may help with this.
+
+Example:
+
+```
+pixi tree --invert openssl
+```
