From f90cc5616a7a69fa4b589d3ad599c02df03efea1 Mon Sep 17 00:00:00 2001 From: phil Date: Tue, 30 Jun 2026 12:09:02 +0900 Subject: [PATCH 1/2] =?UTF-8?q?fix(ci):=20dependency-review=20=EA=B0=80?= =?UTF-8?q?=EC=9A=A9=EC=84=B1=20=EA=B0=80=EB=93=9C=20=E2=80=94=20=EC=8B=A4?= =?UTF-8?q?=ED=8C=A8=20=EC=95=8C=EB=A6=BC=20=EB=A9=94=EC=9D=BC=20=EC=B0=A8?= =?UTF-8?q?=EB=8B=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit valkey 의 dependency-review.yml 이 가드 없이 dependency-review-action 을 무조건 실행 → GitHub Dependency graph 미가용(org-level) repo 에서 "not supported" 로 job 실패 → PR마다 GitHub Actions 실패 알림 메일 발송. mongodb-operator 가 이미 적용한 "Check dependency graph availability" 가드 스텝을 이식: dependency-graph/sbom API 조회로 가용성 확인 → 미가용 시 ::notice:: 후 review 스텝 skip(if: supported==true) → job PASS. 양 repo 워크플로우 동일화. 검증: mongo 동일 워크플로우가 이미 PASS (가드로 graceful skip). diff 0. Co-Authored-By: Claude Opus 4.8 Signed-off-by: phil --- .github/workflows/dependency-review.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 7df9dd9f..e440c083 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,7 +21,21 @@ jobs: pull-requests: write # comment the diff summary inline steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: Check dependency graph availability + id: dependency_graph + env: + GH_TOKEN: ${{ github.token }} + run: | + set -euo pipefail + if gh api "repos/${GITHUB_REPOSITORY}/dependency-graph/sbom" >/dev/null 2>"${RUNNER_TEMP}/dependency-graph.err"; then + echo "supported=true" >>"${GITHUB_OUTPUT}" + exit 0 + fi + echo "supported=false" >>"${GITHUB_OUTPUT}" + echo "::notice::Dependency graph is unavailable for this repository; skipping dependency review until GitHub enables it." + cat "${RUNNER_TEMP}/dependency-graph.err" || true - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4 + if: steps.dependency_graph.outputs.supported == 'true' with: fail-on-severity: high # See https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-review-action From f4cc019d914da284757737b2b52aaef3102ac6b5 Mon Sep 17 00:00:00 2001 From: phil Date: Tue, 30 Jun 2026 12:15:02 +0900 Subject: [PATCH 2/2] =?UTF-8?q?docs(ci):=20dependency-review=20skip=20?= =?UTF-8?q?=EC=9D=98=20=EB=B3=B4=EC=95=88=20=EA=B7=BC=EA=B1=B0=20=EB=AA=85?= =?UTF-8?q?=EC=8B=9C=20(fail-closed-when-available)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 백그라운드 보안 리뷰의 "fail-open" 우려 정식 처리 — 가드의 의도적 tradeoff 를 주석으로 문서화: - graph 가용 시 review 는 그대로 차단 게이트(fail-closed, if: supported==true). - graph 미가용 시 action 은 review 전 hard-error(게이트 부작동 + 메일만) → skip. - CVE 차단은 graph 불요인 govulncheck(security-scan.yml)가 fail-closed backstop 상시 enforce. 즉 보안 게이트 손실 없이 실패 알림 메일만 제거. 동작 변경 없음(주석만). Co-Authored-By: Claude Opus 4.8 Signed-off-by: phil --- .github/workflows/dependency-review.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e440c083..14eea8a4 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,6 +21,13 @@ jobs: pull-requests: write # comment the diff summary inline steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + # 보안 tradeoff (의도적): dependency-review-action 은 GitHub Dependency graph + # 가 *반드시* 있어야 동작한다. 본 org/repo 는 graph 가 미가용이라 action 이 + # review 전에 hard-error 한다(게이트가 동작하지 못하고 실패 알림 메일만 양산). + # 따라서 graph 가용 시에만 review 를 실행(fail-closed, 아래 if), 미가용 시엔 skip. + # 이는 fail-open 이 아니다: (1) graph 가용 시 review 는 그대로 차단 게이트로 동작, + # (2) CVE 차단은 graph 불요인 govulncheck(security-scan.yml)가 fail-closed backstop + # 으로 상시 enforce. dependency-review 는 graph 기반 *보충* 커버리지(전 의존 + 라이선스)다. - name: Check dependency graph availability id: dependency_graph env: