From d697c467e836a0a3044c0f680ea511f40ebb06d2 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Tue, 7 Jul 2026 22:09:44 +0900 Subject: [PATCH] fix(osv-scanner): bump reusable PR workflow to gate job outputs (1MB cap) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The osv-scan job fails with "Job outputs exceed 1,048,576 bytes" because the pinned upstream reusable workflow (v2.3.8) dumps the full old/new osv-scanner JSON (advisory text, references, every severity/ecosystem) into $GITHUB_OUTPUT unconditionally, populating the `old-results` / `new-results` job outputs and tripping GitHub's 1MB job-outputs cap. Bump the pin from v2.3.8 (9a49870) to 3a7550f — v2.3.8 + exactly one upstream commit ("feat: gate reusable workflow outputs with a flag"). That commit adds an `export-results` input (default false) and gates the Export step with `if: ${{ inputs.export-results }}`. We don't set the input, so the full-JSON export is skipped and the job outputs stay empty. Security signal is unchanged: SARIF is still generated and uploaded to Security > Code Scanning, artifacts (SARIF + old/new JSON) are still uploaded, and gh-annotations still fire. Org merge gating is driven by the code_scanning ruleset reading that SARIF, so it is unaffected. This caller never consumed old-results/new-results, so nothing is lost. 3a7550f is 1 commit ahead / 0 behind the v2.3.8 tag with identical nested action pins; the only delta is the output gate. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01AxU2xaupAjp912oDNFuWyd --- .github/workflows/osv-scanner-pr.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 4d5c4475..2d98b514 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -29,7 +29,12 @@ jobs: osv-scan: if: github.event.action != 'closed' # ponytail: use upstream reusable PR workflow, don't hand-roll the diff scan - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + # Pinned to v2.3.8 + 1 commit (3a7550f) which gates the JSON job outputs + # behind the new `export-results` input (default false). v2.3.8 dumped the + # full old/new osv-scanner JSON into job outputs unconditionally, tripping + # GitHub's 1,048,576-byte job-outputs cap and failing the run. Same nested + # action pins as v2.3.8; only the Export step is now conditional. + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@3a7550f43ba5b58905a821ce3a0ed24c4858b3f4 # v2.3.8 + export-results gate permissions: actions: read contents: read