From 8e20906b22a1e46704ee8e63471d339c65f7926b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 7 Jan 2026 12:26:32 +0000 Subject: [PATCH 1/3] Initial plan From 84f3b3418ceda1d912371e485f83dfb9a7499b29 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 7 Jan 2026 12:40:27 +0000 Subject: [PATCH 2/3] Add vulnerability-check.yml workflow with Ratis PR improvements Co-authored-by: OneSizeFitsQuorum <32640567+OneSizeFitsQuorum@users.noreply.github.com> --- .github/workflows/vulnerability-check.yml | 65 +++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .github/workflows/vulnerability-check.yml diff --git a/.github/workflows/vulnerability-check.yml b/.github/workflows/vulnerability-check.yml new file mode 100644 index 0000000..548bf38 --- /dev/null +++ b/.github/workflows/vulnerability-check.yml @@ -0,0 +1,65 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: vulnerability-check + +on: + schedule: + # Run at 16:00 UTC every Sunday (Monday 00:00 CST) + - cron: "0 16 * * 0" + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 + MAVEN_ARGS: --batch-mode --no-transfer-progress + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + +jobs: + dependency-check: + if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'OneSizeFitsQuorum/Code-Server-With-Ray-Distributed-Debugger' }} + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + distribution: corretto + java-version: 11 + + - name: Do Maven install + shell: bash + run: mvn $MAVEN_ARGS clean install -DskipTests + + - name: Do the dependency-check:aggregate + shell: bash + run: mvn $MAVEN_ARGS org.owasp:dependency-check-maven:aggregate -DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{ secrets.OSS_INDEX_TOKEN }} -DnvdApiKey=${{ secrets.NVD_API_KEY }} + + - name: Generate report date for artifact name + run: | + utc_time="${{ github.run_started_at }}" + target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d") + echo "REPORT_DATE=$target_time" >> $GITHUB_ENV + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: vulnerability-check-result-${{ env.REPORT_DATE }} + path: target/dependency-check-report.html + retention-days: 15 From 9bffbcf12b3704ed6ac8f9bb17bb3bc92faaf122 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 7 Jan 2026 12:41:52 +0000 Subject: [PATCH 3/3] Add explicit permissions block to vulnerability-check workflow Co-authored-by: OneSizeFitsQuorum <32640567+OneSizeFitsQuorum@users.noreply.github.com> --- .github/workflows/vulnerability-check.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/vulnerability-check.yml b/.github/workflows/vulnerability-check.yml index 548bf38..bdba8a2 100644 --- a/.github/workflows/vulnerability-check.yml +++ b/.github/workflows/vulnerability-check.yml @@ -34,6 +34,8 @@ jobs: dependency-check: if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'OneSizeFitsQuorum/Code-Server-With-Ray-Distributed-Debugger' }} runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4