🌱 Add OSV scanner PR and schedule workflows #492
Conversation
metal3-io-bot
added
the
size/L
|
/hold |
metal3-io-bot
added
the
do-not-merge/hold
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
@tuminoid how do you feel about this specially the uploading the artifacts about the analysis results ? |
Although those are empty now, I wonder why? |
|
/test ? |
|
@kashifest: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
kashifest
force-pushed
the
add/OSV-scanner
branch
from
edb1546 to
0f2372c
Compare
|
/test metal3-centos-e2e-integration-test-main |
|
I'll take look on the artifacts this week. |
|
/test metal3-centos-e2e-integration-test-main |
Can you please describe more ! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lentzi90 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
approved
There was a problem hiding this comment.
This is one weird setup... I guess it is organized such that the first workflow with workflow_call is reusable, and is being called by the second workflow. IMO it has issues with naming, pinning etc.
Second, with osv-scanner, we have issues with golang stdlib. We don't specify a patch version in our go directive, which means it'll assume it as 0. This leads to failures. If this is failing in a PR, we can never merge a thing, nothing will ever pass.
I need to do more local testing with gh act but I think we can only take the scheduled part, or on-demand, and not run it on PRs, and even on scheduled ones, it'll pollute the security events with false positives due the golang issue.
/hold
For further testing.
|
Thanks @tuminoid for the review , I will check it up |
kashifest
force-pushed
the
add/OSV-scanner
branch
from
0f2372c to
b717202
Compare
kashifest
force-pushed
the
add/OSV-scanner
branch
6 times, most recently
from
79ca23b to
a864b4c
Compare
kashifest
force-pushed
the
add/OSV-scanner
branch
4 times, most recently
from
6b5cd7b to
f4fbee9
Compare
kashifest
force-pushed
the
add/OSV-scanner
branch
from
f4fbee9 to
c234d34
Compare
|
I think I have answered most of the comments here @tuminoid |
kashifest
force-pushed
the
add/OSV-scanner
branch
from
c234d34 to
e107a41
Compare
|
/cc @tuminoid |
Signed-off-by: Kashif Khan <[email protected]>
kashifest
force-pushed
the
add/OSV-scanner
branch
from
e107a41 to
0adb89e
Compare
|
/hold cancel |
metal3-io-bot
removed
the
do-not-merge/hold
|
/override metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main |
|
@kashifest: Overrode contexts on behalf of kashifest: metal3-centos-e2e-integration-test-main, metal3-ubuntu-e2e-integration-test-main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR adds OSV scanner PR and schedule workflows. Workflow files are adapted from https://github.com/google/osv-scanner