mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-27 11:22:03 +00:00
05c896cf52
ci: centralize path-gating behind single orchestrator + all-checks-pass gate Replace the scattered per-workflow detect-changes pattern with a single ci.yml orchestrator that runs the classifier once, then conditionally calls sub-workflows via workflow_call based on lane outputs. A final all-checks-pass job (if: always()) aggregates all results so branch protection only needs to require one check. Changes: - New .github/workflows/ci.yml orchestrator (detect + conditional calls + all-checks-pass gate) - Extend classify_changes.py with scan/deps/mcp_catalog lanes, absorbing supply-chain-audit's internal changes job - Update detect-changes/action.yml to expose the new lane outputs - Convert all 10 PR-gated sub-workflows to workflow_call-only triggers, removing their push/pull_request triggers and per-step detect-changes guards (gating now happens at the orchestrator level) - lint.yml + supply-chain-audit.yml receive event_name as a workflow_call input to replace github.event_name (which is "workflow_call" inside called workflows) - supply-chain-audit.yml: remove internal changes job + *-gate jobs (orchestrator handles gating, booleans arrive as inputs) - contributor-check.yml: remove internal filter step - Update test_classify_changes.py for 6-lane output + new supply-chain test cases
47 lines
1.8 KiB
YAML
47 lines
1.8 KiB
YAML
name: OSV-Scanner
|
|
|
|
# Scans lockfiles (uv.lock, package-lock.json) against the OSV vulnerability
|
|
# database. Runs on every PR/push (via the ci.yml orchestrator's workflow_call)
|
|
# and on a weekly schedule against main.
|
|
#
|
|
# This is detection-only — OSV-Scanner does NOT open PRs or modify pins.
|
|
# It reports known CVEs in currently-pinned dependency versions so we can
|
|
# decide when and how to patch on our own schedule. Our pinning strategy
|
|
# (full SHA / exact version) is preserved; only the notification signal
|
|
# is added.
|
|
#
|
|
# Complements the supply-chain-audit.yml workflow (which scans for malicious
|
|
# code patterns in PR diffs) by covering the orthogonal "currently-pinned
|
|
# dep became known-vulnerable" case.
|
|
#
|
|
# Uses Google's officially-recommended reusable workflow, pinned by SHA.
|
|
# Findings land in the repo's Security tab (Code Scanning > OSV-Scanner).
|
|
# fail-on-vuln is disabled so the job does not block merges on pre-existing
|
|
# vulnerabilities in pinned deps that we may need to patch deliberately.
|
|
|
|
on:
|
|
workflow_call:
|
|
schedule:
|
|
# Weekly scan against main — catches CVEs published after merge for
|
|
# deps that haven't changed since.
|
|
- cron: "0 9 * * 1"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
# Required by the reusable workflow to upload SARIF to the Security tab.
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
scan:
|
|
name: Scan lockfiles
|
|
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
|
with:
|
|
# Scan explicit lockfiles rather than recursing, so we only look at
|
|
# the three sources of truth and skip vendored / test / worktree dirs.
|
|
scan-args: |-
|
|
--lockfile=uv.lock
|
|
--lockfile=package-lock.json
|
|
--lockfile=website/package-lock.json
|
|
fail-on-vuln: false
|