From d68593c9a84e6854afd6b0883affc38d18bffb7a Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 08:29:53 +1300 Subject: [PATCH 1/9] ci: run `osv-linter` --- .github/workflows/ci.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 47aa8b5d..83ecb2e4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,6 +25,23 @@ jobs: persist-credentials: false - name: Audit dependencies for security vulnerabilities uses: g-rath/check-with-osv-detector@0e8c0f954d8618a3a4671eca1918b30b2d085af3 # v0.2.0 + lint: + permissions: + contents: read # to fetch code (actions/checkout) + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Set up Go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version: stable + check-latest: true + - run: git clone https://github.com/ossf/osv-schema /tmp/osv-schema + - run: go install ./cmd/osv + working-directory: /tmp/osv-schema/tools/osv-linter + + - run: osv-linter + ruff: permissions: contents: read # to fetch code (actions/checkout) From 1c60d176c79ab9e9ec9523b3ed54446e509c85a6 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 08:43:22 +1300 Subject: [PATCH 2/9] ci: cache go dependencies --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 83ecb2e4..526a965e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,12 +31,13 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: + - run: git clone https://github.com/ossf/osv-schema /tmp/osv-schema - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: + cache-dependency-path: '/tmp/osv-schema/tools/osv-linter/go.sum' go-version: stable check-latest: true - - run: git clone https://github.com/ossf/osv-schema /tmp/osv-schema - run: go install ./cmd/osv working-directory: /tmp/osv-schema/tools/osv-linter From 433448098831c1bbcd4c4c2c1f1a87430f1f8050 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 08:45:04 +1300 Subject: [PATCH 3/9] ci: rework --- .github/workflows/ci.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 526a965e..eada6090 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,10 +38,9 @@ jobs: cache-dependency-path: '/tmp/osv-schema/tools/osv-linter/go.sum' go-version: stable check-latest: true - - run: go install ./cmd/osv + - run: go build -o osv-linter ./cmd/osv working-directory: /tmp/osv-schema/tools/osv-linter - - - run: osv-linter + - run: /tmp/osv-schema/tools/osv-linter/osv-linter ruff: permissions: From 8aadb416f5967174257d74cedaa9093bf88bb706 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 08:49:49 +1300 Subject: [PATCH 4/9] ci: be within workspace --- .github/workflows/ci.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eada6090..5db50861 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,16 +31,17 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - run: git clone https://github.com/ossf/osv-schema /tmp/osv-schema + - run: git clone https://github.com/ossf/osv-schema - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - cache-dependency-path: '/tmp/osv-schema/tools/osv-linter/go.sum' + cache-dependency-path: 'osv-schema/tools/osv-linter/go.sum' go-version: stable check-latest: true - run: go build -o osv-linter ./cmd/osv - working-directory: /tmp/osv-schema/tools/osv-linter - - run: /tmp/osv-schema/tools/osv-linter/osv-linter + working-directory: osv-schema/tools/osv-linter + + - run: osv-schema/tools/osv-linter/osv-linter ruff: permissions: From f39a6438e892ff08a3d499b748bddc9be0adf293 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 08:50:07 +1300 Subject: [PATCH 5/9] ci: clone the repository --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5db50861..d7f34259 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,6 +43,11 @@ jobs: - run: osv-schema/tools/osv-linter/osv-linter + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + - run: ls -aoh + ruff: permissions: contents: read # to fetch code (actions/checkout) From 10582b682c80ee2d00ee8946a3d2ff2f0f7bab69 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 08:55:46 +1300 Subject: [PATCH 6/9] ci: checkout repo within existing workspace --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7f34259..bbbc4d35 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,6 +45,7 @@ jobs: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: + path: drupal-advisory-database persist-credentials: false - run: ls -aoh From f0a1b0e6dc7081cbbbd828ac5dd4b067e3b1594a Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 08:56:34 +1300 Subject: [PATCH 7/9] ci: run the linter --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bbbc4d35..3966df4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,9 @@ jobs: with: path: drupal-advisory-database persist-credentials: false - - run: ls -aoh + - run: | + osv-schema/tools/osv-linter/osv-linter record lint --parallel 2 \ + drupal-advisory-database/advisories/ ruff: permissions: From caa7d15f2b999498ac39c878980990ce5151e593 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 09:08:28 +1300 Subject: [PATCH 8/9] ci: add some comments --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3966df4b..ce7e8c6f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,6 +31,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: + # build the osv-linter from source - run: git clone https://github.com/ossf/osv-schema - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 @@ -43,6 +44,7 @@ jobs: - run: osv-schema/tools/osv-linter/osv-linter + # run the linter against our advisories - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: path: drupal-advisory-database From 88398fe7d8a72744b0181e80c9e62924bd58a559 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Thu, 4 Dec 2025 10:12:25 +1300 Subject: [PATCH 9/9] ci: only clone the first commit --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ce7e8c6f..ffb95203 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,7 @@ jobs: timeout-minutes: 15 steps: # build the osv-linter from source - - run: git clone https://github.com/ossf/osv-schema + - run: git clone --depth 1 https://github.com/ossf/osv-schema - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: