ci: pr-cve-check only scan changed recipes#15499
Merged
rpcme merged 1 commit intoaws4embeddedlinux:master-nextfrom Apr 21, 2026
Merged
ci: pr-cve-check only scan changed recipes#15499rpcme merged 1 commit intoaws4embeddedlinux:master-nextfrom
rpcme merged 1 commit intoaws4embeddedlinux:master-nextfrom
Conversation
The pr-cve-check workflow was running CVE checks against every .bb recipe in the layer on every PR, causing very long run times. Add a 'changed' job (mirroring build-test-recipe pattern) that detects which recipes were modified in the PR, then only CVE-check those. Skip the CVE check entirely if no recipe files changed.
Merged
via the queue into
aws4embeddedlinux:master-next
with commit Apr 21, 2026
62d4540
8 of 9 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
pr-cve-checkworkflow runs CVE checks against every.bbrecipe in the layer on every PR, regardless of what changed. This causes very long run times (50+ minutes and counting).Fix
Add a
changedjob (mirroring thebuild-test-recipepattern) that:.bb/.incfiles were modified in the PRTesting
The diff detection logic mirrors the proven pattern from
build-test-recipe.yml.