From 3be6f91ed8186d484bcc1463e5cfe6a9ea8aaff5 Mon Sep 17 00:00:00 2001 From: tmu0 <108675202+tmu0@users.noreply.github.com> Date: Fri, 19 Jun 2026 15:34:10 +0200 Subject: [PATCH 1/3] chore: merge infrasec/prodsec CODEOWNERS into security team --- .github/CODEOWNERS | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index dbeafce8a34b..aa5503eaf957 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -9,13 +9,13 @@ /licenses/ @dfinity/idx /bin/ict @dfinity/idx /bin/ @dfinity/idx -/bin/fuzzing/ @dfinity/product-security +/bin/fuzzing/ @dfinity/security # [Bazel] .bazelrc @dfinity/idx .bazelversion @dfinity/idx /bazel/ @dfinity/idx -/bazel/fuzz_testing.bzl @dfinity/idx @dfinity/product-security +/bazel/fuzz_testing.bzl @dfinity/idx @dfinity/security /BUILD.bazel @dfinity/idx /third_party/ @dfinity/idx /MODULE.bazel @dfinity/idx @@ -76,18 +76,18 @@ go.sum @dfinity/idx # [GitHub-Ci] /.github/ @dfinity/idx /.github/workflows/ @dfinity/idx -/.github/workflows/bazel-dependency-submission.yml @dfinity/idx @dfinity/product-security -/.github/workflows/container-scan-nightly.yml @dfinity/idx @dfinity/product-security +/.github/workflows/bazel-dependency-submission.yml @dfinity/idx @dfinity/security +/.github/workflows/container-scan-nightly.yml @dfinity/idx @dfinity/security /.github/workflows/ledger-suite-release.yml @dfinity/defi @dfinity/idx -/.github/workflows/publish-crates.yml @dfinity/idx @dfinity/infrasec +/.github/workflows/publish-crates.yml @dfinity/idx @dfinity/security /.github/workflows/repro-check.yml @dfinity/dre @dfinity/idx /.github/workflows/rosetta-release.yml @dfinity/defi @dfinity/idx -/.github/workflows/security-checks.yml @dfinity/idx @dfinity/product-security +/.github/workflows/security-checks.yml @dfinity/idx @dfinity/security /.github/CODEOWNERS @dfinity/ic-owners-owners -.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST @dfinity/idx @dfinity/infrasec +.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST @dfinity/idx @dfinity/security /ci/ @dfinity/idx -/ci/actions/dependencies/ @dfinity/product-security -/ci/src/dependencies/ @dfinity/product-security +/ci/actions/dependencies/ @dfinity/security +/ci/src/dependencies/ @dfinity/security /ci/src/dependencies/resources/container_scanner_finding_failover_ignore_list_guestos.txt @dfinity/node /ci/scripts/repro-check @dfinity/dre /.pre-commit-config.yaml @dfinity/idx @@ -118,9 +118,9 @@ go.sum @dfinity/idx /rs/ethereum/ @dfinity/defi /rs/engine_controller/ @dfinity/dre /rs/execution_environment/ @dfinity/core-protocol -/rs/fuzzers/ @dfinity/product-security +/rs/fuzzers/ @dfinity/security /rs/http_endpoints/ @dfinity/core-protocol -/rs/http_endpoints/fuzz/ @dfinity/product-security +/rs/http_endpoints/fuzz/ @dfinity/security /rs/http_utils/ @dfinity/core-protocol /rs/https_outcalls/ @dfinity/core-protocol /rs/https_outcalls/consensus/ @dfinity/core-protocol From 1eff9ac3a0ca13829e68e5f2c41ecd1c1fa375d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= Date: Mon, 22 Jun 2026 08:21:54 +0200 Subject: [PATCH 2/3] remove dep action, adapt CODEOWNERS --- .github/CODEOWNERS | 14 ++++++---- ci/actions/dependencies/periodic/action.yml | 31 --------------------- 2 files changed, 8 insertions(+), 37 deletions(-) delete mode 100644 ci/actions/dependencies/periodic/action.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index aa5503eaf957..8a7350ff9fa9 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -76,19 +76,21 @@ go.sum @dfinity/idx # [GitHub-Ci] /.github/ @dfinity/idx /.github/workflows/ @dfinity/idx -/.github/workflows/bazel-dependency-submission.yml @dfinity/idx @dfinity/security -/.github/workflows/container-scan-nightly.yml @dfinity/idx @dfinity/security +/.github/workflows/bazel-dependency-submission.yml @dfinity/idx +/.github/workflows/container-scan-nightly.yml @dfinity/idx @dfinity/node /.github/workflows/ledger-suite-release.yml @dfinity/defi @dfinity/idx /.github/workflows/publish-crates.yml @dfinity/idx @dfinity/security /.github/workflows/repro-check.yml @dfinity/dre @dfinity/idx /.github/workflows/rosetta-release.yml @dfinity/defi @dfinity/idx -/.github/workflows/security-checks.yml @dfinity/idx @dfinity/security +/.github/workflows/security-checks.yml @dfinity/idx /.github/CODEOWNERS @dfinity/ic-owners-owners .github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST @dfinity/idx @dfinity/security /ci/ @dfinity/idx -/ci/actions/dependencies/ @dfinity/security -/ci/src/dependencies/ @dfinity/security -/ci/src/dependencies/resources/container_scanner_finding_failover_ignore_list_guestos.txt @dfinity/node +/ci/src/dependencies/ @dfinity/node +/ci/src/dependencies/integration/github/github_api.py @dfinity/idx @dfinity/node +/ci/src/dependencies/integration/github/github_dependency_submission.py @dfinity/idx +/ci/src/dependencies/job/bazel_rust_gh_submission_job.py @dfinity/idx +/ci/src/dependencies/parser/ @dfinity/idx /ci/scripts/repro-check @dfinity/dre /.pre-commit-config.yaml @dfinity/idx /pre-commit/ @dfinity/idx diff --git a/ci/actions/dependencies/periodic/action.yml b/ci/actions/dependencies/periodic/action.yml deleted file mode 100644 index 16150de3af5b..000000000000 --- a/ci/actions/dependencies/periodic/action.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: 'Dependency Scan Nightly' -runs: - using: "composite" - steps: - - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - with: - python-version: "3.12" - - name: Setup environment deps - id: setup-environment-deps - shell: bash - working-directory: ${{ github.action_path }}/../../../.. - run: | - # this is needed to get more free space on the runner, otherwise might run OOM when building icOS - rm -rf /opt/hostedtoolcache - # Ignore externally-managed-environment pip error, install packages system-wide. - PIP_BREAK_SYSTEM_PACKAGES=1 pip3 install --ignore-installed -r requirements.txt - - name: Run Dependency Scan Nightly - id: dependency-scan-nightly - shell: bash - working-directory: ${{ github.action_path }}/../../../.. - run: | - set -euo pipefail - export PYTHONPATH=$PWD/ci/src:$PWD/ci/src/dependencies - cd ci/src/dependencies/ - cp -a $GITHUB_WORKSPACE/config/. config/ - $SHELL_WRAPPER python3 job/bazel_trivy_container_ic_scanner_periodic_job.py - df -h - env: - SHELL_WRAPPER: "/usr/bin/time" - CI_PIPELINE_ID: ${{ github.run_id }} From a1501e659f6e221691dd6c70079063380403a356 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= Date: Mon, 22 Jun 2026 08:23:51 +0200 Subject: [PATCH 3/3] simplify CODEOWNERS --- .github/CODEOWNERS | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8a7350ff9fa9..5ca3d8f2702e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -76,13 +76,11 @@ go.sum @dfinity/idx # [GitHub-Ci] /.github/ @dfinity/idx /.github/workflows/ @dfinity/idx -/.github/workflows/bazel-dependency-submission.yml @dfinity/idx /.github/workflows/container-scan-nightly.yml @dfinity/idx @dfinity/node /.github/workflows/ledger-suite-release.yml @dfinity/defi @dfinity/idx /.github/workflows/publish-crates.yml @dfinity/idx @dfinity/security /.github/workflows/repro-check.yml @dfinity/dre @dfinity/idx /.github/workflows/rosetta-release.yml @dfinity/defi @dfinity/idx -/.github/workflows/security-checks.yml @dfinity/idx /.github/CODEOWNERS @dfinity/ic-owners-owners .github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST @dfinity/idx @dfinity/security /ci/ @dfinity/idx