You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ci: fix wiring bugs in security scanning workflows
First real Actions run surfaced four plumbing bugs (no real findings):
- trivy-action pinned to a non-existent tag; the action's tags are
v-prefixed (0.31.0 -> v0.31.0). Affected security, docker-publish and
build-agent workflows.
- govulncheck wrapper invoked via `go run` on a path in the separate
.github module, which failed to resolve against the scanned module.
Build the wrapper binary from its own module first, then pipe into it.
- CodeQL uploaded SARIF twice per job (analyze + a manual filter step)
with a colliding category. Drop the redundant upload; code scanning
surfaces new-only alerts on PRs natively.
- Semgrep baseline fetch failed (exit 128) on dubious-ownership/shallow
checkout. Use fetch-depth 0, mark the workspace safe, and diff against
the PR base SHA instead of origin/master.
0 commit comments