maintenance: align NVD cache workflow parity and action pinning policy#32
Merged
Conversation
What changed: - Updated .github/workflows/security-scan.yml to match the Gradle repository’s NVD cache strategy: added optional project_dir support, dependency-check task detection, guarded scan execution, and cache save when force_nvd_refresh is used. - Updated .github/workflows/spring-rules-security-scan.yml to expose workflow_dispatch force_nvd_refresh and pass it through to the reusable security scan workflow. - Updated .github/workflows/nvd-cache-refresh.yml wording and summary details to match the Gradle repository behavior while keeping the local nvd-cache-primer path. - Updated .github/copilot-instructions.md with an explicit security requirement that all external GitHub Actions must be pinned to full 40-character commit SHAs. Why: - The repository needed parity with the SoftwareEngineeringDoneRight-Gradle implementation for NVD cache refresh and scan behavior so vulnerability checks avoid repeated expensive NVD updates while retaining manual override controls. - The workflow security policy needed to explicitly prevent mutable action refs to reduce supply-chain risk. How: - Ported the Gradle repository’s reusable security-scan hardening pattern and dispatch controls. - Preserved only intentional differences related to the local nvd-cache-primer location. Side effects and constraints: - Security scan steps now skip gracefully when dependency-check tasks are unavailable in a target project. - force_nvd_refresh now controls both update execution and cache save behavior in the reusable scan workflow. Outcomes: - actionlint .github/workflows/*.yml passes after these changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Align NVD cache refresh/security-scan workflows with the SoftwareEngineeringDoneRight-Gradle implementation (except primer location), add manual force_nvd_refresh control for Spring Rules security scan dispatch, and codify full SHA pinning for external GitHub Actions in Copilot instructions. actionlint passes for all workflows.