DOC: Add MAINTAINERS.md with notes on grype security scans

matthewfeickert · matthewfeickert · commit 0961bc55c441 · 2026-04-30T16:40:09.000-06:00
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -0,0 +1,46 @@
+# upload-nightly-action Maintainer Notes
+
+## Grype security scans in CI
+
+[`grype`](https://github.com/anchore/grype) is used to perform scheduled security scans of the `upload-nightly-action` Pixi environment in CI.
+In the event that the scan fails, a maintainer should:
+
+1. Check to see if the detected vulnerability can be avoided by upgrading dependencies with
+
+```
+pixi upgrade
+```
+
+2. If the `pixi.lock` has been updated by this action, then the offending packages should be checked for updates with `pixi list` and the `grype` scan should be repeated with
+
+```
+pixi run grype
+```
+
+3. If the `pixi.lock` lock file is not updated try resolving the lock file fresh with
+
+```
+pixi reinstall
+```
+
+or by
+
+```
+rm pixi.lock && pixi lock
+```
+
+and then running the scan again
+
+
+```
+pixi run grype
+```
+
+4. If the `pixi.lock` lock file is still not updated with fixes to the offending packages, then the changes to the `pixi.toml` Pixi manifest and `pixi.lock` lock file can be ignored/reverted and a maintainer should open up a tracking GitHub issue that reports the vulnerability and summarizes their understanding of the root cause of the vulnerability being introduced to the environment.
+`pixi tree --invert` may help with this.
+
+Example:
+
+```
+pixi tree --invert openssl
+```
