fix(osv-scanner): stop OSV PR scan hitting the 1MB job-outputs cap#347
Open
seonghobae wants to merge 2 commits into
Open
fix(osv-scanner): stop OSV PR scan hitting the 1MB job-outputs cap#347seonghobae wants to merge 2 commits into
seonghobae wants to merge 2 commits into
Conversation
…cap)
The osv-scan job fails with "Job outputs exceed 1,048,576 bytes" because
the pinned upstream reusable workflow (v2.3.8) dumps the full old/new
osv-scanner JSON (advisory text, references, every severity/ecosystem)
into $GITHUB_OUTPUT unconditionally, populating the `old-results` /
`new-results` job outputs and tripping GitHub's 1MB job-outputs cap.
Bump the pin from v2.3.8 (9a49870) to 3a7550f — v2.3.8 + exactly one
upstream commit ("feat: gate reusable workflow outputs with a flag").
That commit adds an `export-results` input (default false) and gates the
Export step with `if: ${{ inputs.export-results }}`. We don't set the
input, so the full-JSON export is skipped and the job outputs stay empty.
Security signal is unchanged: SARIF is still generated and uploaded to
Security > Code Scanning, artifacts (SARIF + old/new JSON) are still
uploaded, and gh-annotations still fire. Org merge gating is driven by
the code_scanning ruleset reading that SARIF, so it is unaffected. This
caller never consumed old-results/new-results, so nothing is lost.
3a7550f is 1 commit ahead / 0 behind the v2.3.8 tag with identical nested
action pins; the only delta is the output gate.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AxU2xaupAjp912oDNFuWyd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem (infra failure)
The
OSV-Scanner PRworkflow'sosv-scanjob fails with:Root cause is in the upstream reusable workflow we pin,
google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.8. Itsosv-scanjob declares:and its "Export results" step
cats the full old/new osv-scanner JSON (advisory text, references, every severity and ecosystem) into$GITHUB_OUTPUTunconditionally. Those two job outputs are subject to GitHub's 1MB job-outputs cap, and verbose scans blow past it — so the job errors out before it can finish. Our caller doesn't even consumeold-results/new-results, so this is pure overhead.The problematic logic lives entirely inside the external pinned workflow, so it can't be fixed with the
with:inputs v2.3.8 exposes.Fix (minimal)
Bump the pinned SHA from
9a49870(v2.3.8) to3a7550f— which is v2.3.8 plus exactly one upstream commit,feat: gate reusable workflow outputs with a flag. That commit:export-resultsinput, defaultfalse, andif: ${{ inputs.export-results }}.We don't set
export-results, so it defaults off, the full-JSON export step is skipped, theold-results/new-resultsjob outputs stay empty, and the 1MB cap is never hit.3a7550fis 1 commit ahead / 0 behind the v2.3.8 tag, with byte-identical nested action pins (osv-scanner-action, osv-reporter-action, checkout, upload-artifact, codeql-action — all the same SHAs as v2.3.8). The only behavioral delta is the output gate. Diff is one pin line + a comment.Security signal preserved
gh-annotationsstill fire on the PR.code_scanningruleset (medium_or_higher) reading that SARIF — unaffected. This PR does not touchfail-on-vuln: false, so the existing gating policy is unchanged. Real CRITICAL/HIGH findings still surface in code scanning and still block via the ruleset.Only the redundant, oversized JSON job outputs (which nothing consumed) are dropped.
🤖 Generated with Claude Code