Skip to content

fix(ci): tighten central workflow gates#382

Open
seonghobae wants to merge 6 commits into
mainfrom
fix/central-workflow-security-20260709
Open

fix(ci): tighten central workflow gates#382
seonghobae wants to merge 6 commits into
mainfrom
fix/central-workflow-security-20260709

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

  • Scope central required-workflow tokens to read-only defaults with job-scoped writes for Scorecard Token-Permissions alerts.
  • Print concrete Trivy SARIF findings in trivy-fs failure logs so required-check failures show package/CVE/path/message reasons.
  • Fix current Python CI regressions in Noema URL validation and PR merge scheduler Markdown rendering.

Verification

  • python3 -m pytest -> 175 passed, 5 warnings
  • python3 -m compileall -q scripts tests
  • git diff --cached --check
  • bash scripts/ci/test_strix_quick_gate.sh remains nonzero on existing stale contract-string assertions unrelated to this diff; full pytest covers the updated contracts.

Direct push

Direct push to main was rejected by repository rules: required workflows are not satisfied and changes must be made through a pull request.

Scope central workflow tokens to read-only defaults with job-scoped writes, print Trivy SARIF findings in failing logs, and repair scheduler/Noema CI regressions caught by the full test suite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant