Skip to content

Apply community-reviewed improvements from Ratis PR #1328 to vulnerability-check workflow #16995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
HTHou merged 3 commits into from
Jan 8, 2026
Merged

Apply community-reviewed improvements from Ratis PR #1328 to vulnerability-check workflow #16995

HTHou merged 3 commits into from
Jan 8, 2026

Conversation

@OneSizeFitsQuorum
Copy link
Contributor

@OneSizeFitsQuorum OneSizeFitsQuorum commented Jan 7, 2026
edited
Loading

Description

Backports improvements to the weekly CVE scanning workflow that were validated through Apache Ratis PR community review process.

Workflow Simplification

  • Removed matrix strategy: Single runner (ubuntu-latest, JDK 17) instead of matrix configuration
  • Removed Maven cache: Cache ineffective for weekly scheduled jobs
  • Consolidated dependency checks: aggregate step subsumes check step

Enhanced Configuration

  • Added conditional execution: Prevents forks from running scheduled scans (github.repository == 'apache/iotdb')
  • Added NVD API key support: -DnvdApiKey=${{ secrets.NVD_API_KEY }} parameter for improved CVE data access
  • Consistent Maven args: $MAVEN_ARGS variable usage across commands

Improved Clarity

  • Renamed DATE_EAST_ASIAREPORT_DATE: Clearer semantic meaning
  • Simplified artifact naming: Removed redundant ${{ runner.os }} component
  • Updated step descriptions: More precise naming

Security Hardening

  • Added explicit permissions: contents: read follows principle of least privilege

This PR has:

  • been self-reviewed.
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.

Copilot AI and others added 3 commits January 7, 2026 12:45
Initial plan
efeccbd
@OneSizeFitsQuorum
Apply improvements from Ratis PR apache#1328 to vulnerability-check w…
7841660 
…orkflow

Co-authored-by: OneSizeFitsQuorum <32640567+OneSizeFitsQuorum@users.noreply.github.com>
@OneSizeFitsQuorum
Add explicit permissions block for security best practices
c467cf5 
Co-authored-by: OneSizeFitsQuorum <32640567+OneSizeFitsQuorum@users.noreply.github.com>
HTHou
HTHou approved these changes Jan 8, 2026
View reviewed changes
Copy link
Contributor

@HTHou HTHou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@HTHou HTHou merged commit d19455d into apache:master Jan 8, 2026
28 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HTHou HTHou HTHou approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OneSizeFitsQuorum @HTHou