mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-30 06:41:51 +00:00
424f2cc6e5
Bumps the actions-minor-patch group with 2 updates in the / directory: [google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml](https://github.com/google/osv-scanner-action) and [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python). Updates `google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml` from 2.3.5 to 2.3.8 - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](c518547040...9a49870895) Updates `sigstore/gh-action-sigstore-python` from 3.0.0 to 3.3.0 - [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases) - [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md) - [Commits](f514d46b90...04cffa1d79) --- updated-dependencies: - dependency-name: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml dependency-version: 2.3.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: sigstore/gh-action-sigstore-python dependency-version: 3.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
67 lines
2.3 KiB
YAML
67 lines
2.3 KiB
YAML
name: OSV-Scanner
|
|
|
|
# Scans lockfiles (uv.lock, package-lock.json) against the OSV vulnerability
|
|
# database. Runs on every PR that touches a lockfile and on a weekly schedule
|
|
# against main.
|
|
#
|
|
# This is detection-only — OSV-Scanner does NOT open PRs or modify pins.
|
|
# It reports known CVEs in currently-pinned dependency versions so we can
|
|
# decide when and how to patch on our own schedule. Our pinning strategy
|
|
# (full SHA / exact version) is preserved; only the notification signal
|
|
# is added.
|
|
#
|
|
# Complements the existing supply-chain-audit.yml workflow (which scans
|
|
# for malicious code patterns in PR diffs) by covering the orthogonal
|
|
# "currently-pinned dep became known-vulnerable" case.
|
|
#
|
|
# Uses Google's officially-recommended reusable workflow, pinned by SHA.
|
|
# Findings land in the repo's Security tab (Code Scanning > OSV-Scanner).
|
|
# fail-on-vuln is disabled so the job does not block merges on pre-existing
|
|
# vulnerabilities in pinned deps that we may need to patch deliberately.
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- 'uv.lock'
|
|
- 'pyproject.toml'
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- 'ui-tui/package.json'
|
|
- 'ui-tui/package-lock.json'
|
|
- 'website/package.json'
|
|
- 'website/package-lock.json'
|
|
- '.github/workflows/osv-scanner.yml'
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'uv.lock'
|
|
- 'pyproject.toml'
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- 'ui-tui/package-lock.json'
|
|
- 'website/package-lock.json'
|
|
schedule:
|
|
# Weekly scan against main — catches CVEs published after merge for
|
|
# deps that haven't changed since.
|
|
- cron: '0 9 * * 1'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
# Required by the reusable workflow to upload SARIF to the Security tab.
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
scan:
|
|
name: Scan lockfiles
|
|
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
|
with:
|
|
# Scan explicit lockfiles rather than recursing, so we only look at
|
|
# the three sources of truth and skip vendored / test / worktree dirs.
|
|
scan-args: |-
|
|
--lockfile=uv.lock
|
|
--lockfile=ui-tui/package-lock.json
|
|
--lockfile=website/package-lock.json
|
|
fail-on-vuln: false
|