Skip to content

maintenance: align NVD cache workflow parity and action pinning policy#32

Merged
Arc-E-Tect merged 1 commit into
mainfrom
fix-action-sha
Jul 1, 2026
Merged

maintenance: align NVD cache workflow parity and action pinning policy#32
Arc-E-Tect merged 1 commit into
mainfrom
fix-action-sha

Conversation

@Arc-E-Tect

Copy link
Copy Markdown
Owner

Align NVD cache refresh/security-scan workflows with the SoftwareEngineeringDoneRight-Gradle implementation (except primer location), add manual force_nvd_refresh control for Spring Rules security scan dispatch, and codify full SHA pinning for external GitHub Actions in Copilot instructions. actionlint passes for all workflows.

What changed:

- Updated .github/workflows/security-scan.yml to match the Gradle repository’s NVD cache strategy: added optional project_dir support, dependency-check task detection, guarded scan execution, and cache save when force_nvd_refresh is used.

- Updated .github/workflows/spring-rules-security-scan.yml to expose workflow_dispatch force_nvd_refresh and pass it through to the reusable security scan workflow.

- Updated .github/workflows/nvd-cache-refresh.yml wording and summary details to match the Gradle repository behavior while keeping the local nvd-cache-primer path.

- Updated .github/copilot-instructions.md with an explicit security requirement that all external GitHub Actions must be pinned to full 40-character commit SHAs.

Why:

- The repository needed parity with the SoftwareEngineeringDoneRight-Gradle implementation for NVD cache refresh and scan behavior so vulnerability checks avoid repeated expensive NVD updates while retaining manual override controls.

- The workflow security policy needed to explicitly prevent mutable action refs to reduce supply-chain risk.

How:

- Ported the Gradle repository’s reusable security-scan hardening pattern and dispatch controls.

- Preserved only intentional differences related to the local nvd-cache-primer location.

Side effects and constraints:

- Security scan steps now skip gracefully when dependency-check tasks are unavailable in a target project.

- force_nvd_refresh now controls both update execution and cache save behavior in the reusable scan workflow.

Outcomes:

- actionlint .github/workflows/*.yml passes after these changes.
@Arc-E-Tect Arc-E-Tect merged commit 869930d into main Jul 1, 2026
4 checks passed
@Arc-E-Tect Arc-E-Tect deleted the fix-action-sha branch July 1, 2026 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant