This is an automated email from the ASF dual-hosted git repository.
haonan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new d19455db6a0 Apply community-reviewed improvements from Ratis PR #1328
to vulnerability-check workflow (#16995)
d19455db6a0 is described below
commit d19455db6a0dea879c00219e134c78748ee1c495
Author: Potato <[email protected]>
AuthorDate: Thu Jan 8 12:22:49 2026 +0800
Apply community-reviewed improvements from Ratis PR #1328 to
vulnerability-check workflow (#16995)
* Initial plan
* Apply improvements from Ratis PR #1328 to vulnerability-check workflow
Co-authored-by: OneSizeFitsQuorum
<[email protected]>
* Add explicit permissions block for security best practices
Co-authored-by: OneSizeFitsQuorum
<[email protected]>
---------
Co-authored-by: copilot-swe-agent[bot]
<[email protected]>
---
.github/workflows/vulnerability-check.yml | 42 ++++++++++++-------------------
1 file changed, 16 insertions(+), 26 deletions(-)
diff --git a/.github/workflows/vulnerability-check.yml
b/.github/workflows/vulnerability-check.yml
index f8e85378380..1c37a89c938 100644
--- a/.github/workflows/vulnerability-check.yml
+++ b/.github/workflows/vulnerability-check.yml
@@ -1,7 +1,7 @@
name: vulnerability-check
on:
schedule:
- # Run at UTC 16:00 every week (CST 00:00 AM)
+ # Run at 16:00 UTC every Sunday (Monday 00:00 CST)
- cron: "0 16 * * 0"
workflow_dispatch:
concurrency:
@@ -15,46 +15,36 @@ env:
jobs:
dependency-check:
- strategy:
- fail-fast: false
- max-parallel: 15
- matrix:
- java: [17]
- os: [ubuntu-latest]
- runs-on: ${{ matrix.os }}
+ if: ${{ github.event_name == 'workflow_dispatch' || github.repository ==
'apache/iotdb' }}
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
steps:
- uses: actions/checkout@v4
- - name: Set up JDK ${{ matrix.java }}
+ - name: Set up JDK 17
uses: actions/setup-java@v4
with:
distribution: corretto
- java-version: ${{ matrix.java }}
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - name: Cache Maven packages
- uses: actions/cache@v4
- with:
- path: ~/.m2
- key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
- restore-keys: ${{ runner.os }}-m2-
+ java-version: 17
+
- name: Do Maven install
shell: bash
- run: mvn clean install -DskipTests
- - name: Do the dependency-check:check
- shell: bash
- run: mvn org.owasp:dependency-check-maven:check -DossIndexUsername=${{
secrets.OSS_INDEX_USER }} -DossIndexPassword=${{ secrets.OSS_INDEX_TOKEN }}
+ run: mvn $MAVEN_ARGS clean install -DskipTests
+
- name: Do the dependency-check:aggregate
shell: bash
- run: mvn org.owasp:dependency-check-maven:aggregate
-DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{
secrets.OSS_INDEX_TOKEN }}
- - name: Convert UTC to East Asia Standard Time and Extract Date
+ run: mvn $MAVEN_ARGS org.owasp:dependency-check-maven:aggregate
-DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{
secrets.OSS_INDEX_TOKEN }} -DnvdApiKey=${{ secrets.NVD_API_KEY }}
+
+ - name: Generate report date for artifact name
run: |
utc_time="${{ github.run_started_at }}"
target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d")
- echo "DATE_EAST_ASIA=$target_time" >> $GITHUB_ENV
+ echo "REPORT_DATE=$target_time" >> $GITHUB_ENV
+
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
- name: vulnerability-check-result-${{ runner.os }}-${{
env.DATE_EAST_ASIA }}
+ name: vulnerability-check-result-${{ env.REPORT_DATE }}
path: target/dependency-check-report.html
retention-days: 15
