From f48d645efbc95cca347045eee96ce21729652ab6 Mon Sep 17 00:00:00 2001 From: Ulzii Otgonbaatar Date: Thu, 9 Apr 2026 09:23:53 -0600 Subject: [PATCH 1/6] ci: use centralized vuln remediation workflow from infra Made-with: Cursor --- .github/vuln-remediation.json | 5 +++++ .github/workflows/vuln-remediation.yml | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 .github/vuln-remediation.json create mode 100644 .github/workflows/vuln-remediation.yml diff --git a/.github/vuln-remediation.json b/.github/vuln-remediation.json new file mode 100644 index 00000000..a7e100dd --- /dev/null +++ b/.github/vuln-remediation.json @@ -0,0 +1,5 @@ +{ + "non_production_paths": ["shared/cdp-test/", "images/chromium-headful/client/", "scripts/"], + "skip_packages": [], + "ecosystems": ["go", "npm", "pip"] +} diff --git a/.github/workflows/vuln-remediation.yml b/.github/workflows/vuln-remediation.yml new file mode 100644 index 00000000..7ea0a4bf --- /dev/null +++ b/.github/workflows/vuln-remediation.yml @@ -0,0 +1,17 @@ +name: Vulnerability Remediation + +on: + schedule: + - cron: '0 3 * * 3' + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + remediate: + uses: kernel/infra/.github/workflows/vuln-remediation.yml@main + with: + go-version-file: 'server/go.mod' + secrets: inherit From c5cfb26a2e6bbb76347ae9714bf6ec89ce492dd8 Mon Sep 17 00:00:00 2001 From: Ulzii Otgonbaatar Date: Thu, 9 Apr 2026 09:39:22 -0600 Subject: [PATCH 2/6] ci: replace custom config with socket.yml Made-with: Cursor --- .github/vuln-remediation.json | 5 ----- socket.yml | 4 ++++ 2 files changed, 4 insertions(+), 5 deletions(-) delete mode 100644 .github/vuln-remediation.json create mode 100644 socket.yml diff --git a/.github/vuln-remediation.json b/.github/vuln-remediation.json deleted file mode 100644 index a7e100dd..00000000 --- a/.github/vuln-remediation.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "non_production_paths": ["shared/cdp-test/", "images/chromium-headful/client/", "scripts/"], - "skip_packages": [], - "ecosystems": ["go", "npm", "pip"] -} diff --git a/socket.yml b/socket.yml new file mode 100644 index 00000000..d393f0b8 --- /dev/null +++ b/socket.yml @@ -0,0 +1,4 @@ +version: 2 +projectIgnorePaths: + - "shared/cdp-test/" + - "images/chromium-headful/client/" From 18457771a588e4cbbe051a8c5ce61a13fe38ee7b Mon Sep 17 00:00:00 2001 From: Ulzii Otgonbaatar Date: Thu, 9 Apr 2026 09:44:39 -0600 Subject: [PATCH 3/6] ci: temporarily point at infra PR branch for e2e testing Made-with: Cursor --- .github/workflows/vuln-remediation.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vuln-remediation.yml b/.github/workflows/vuln-remediation.yml index 7ea0a4bf..3f1e7fa1 100644 --- a/.github/workflows/vuln-remediation.yml +++ b/.github/workflows/vuln-remediation.yml @@ -4,6 +4,11 @@ on: schedule: - cron: '0 3 * * 3' workflow_dispatch: + pull_request: + branches: [main] + paths: + - '.github/workflows/vuln-remediation*' + - 'socket.yml' permissions: contents: write @@ -11,7 +16,7 @@ permissions: jobs: remediate: - uses: kernel/infra/.github/workflows/vuln-remediation.yml@main + uses: kernel/infra/.github/workflows/vuln-remediation.yml@security/vuln-remediation-reusable with: go-version-file: 'server/go.mod' secrets: inherit From 0b5bcf53f1a87e68bd9397146b30bdddd04c936d Mon Sep 17 00:00:00 2001 From: Ulzii Otgonbaatar Date: Thu, 9 Apr 2026 09:45:59 -0600 Subject: [PATCH 4/6] ci: retrigger workflow after enabling org-wide reusable access on infra Made-with: Cursor From 3754406b951d5ee2b9a7385b4ee17ee928fa2da8 Mon Sep 17 00:00:00 2001 From: Ulzii Otgonbaatar Date: Fri, 10 Apr 2026 10:48:28 -0600 Subject: [PATCH 5/6] ci: revert caller to @main after successful e2e test Made-with: Cursor --- .github/workflows/vuln-remediation.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/vuln-remediation.yml b/.github/workflows/vuln-remediation.yml index 3f1e7fa1..7ea0a4bf 100644 --- a/.github/workflows/vuln-remediation.yml +++ b/.github/workflows/vuln-remediation.yml @@ -4,11 +4,6 @@ on: schedule: - cron: '0 3 * * 3' workflow_dispatch: - pull_request: - branches: [main] - paths: - - '.github/workflows/vuln-remediation*' - - 'socket.yml' permissions: contents: write @@ -16,7 +11,7 @@ permissions: jobs: remediate: - uses: kernel/infra/.github/workflows/vuln-remediation.yml@security/vuln-remediation-reusable + uses: kernel/infra/.github/workflows/vuln-remediation.yml@main with: go-version-file: 'server/go.mod' secrets: inherit From 80546a76a231ef55f660fd1dfcab69b933b02cad Mon Sep 17 00:00:00 2001 From: Ulzii Otgonbaatar Date: Fri, 10 Apr 2026 11:23:15 -0600 Subject: [PATCH 6/6] ci: point vuln remediation at kernel/security-workflows Made-with: Cursor --- .github/workflows/vuln-remediation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln-remediation.yml b/.github/workflows/vuln-remediation.yml index 7ea0a4bf..f382dbcb 100644 --- a/.github/workflows/vuln-remediation.yml +++ b/.github/workflows/vuln-remediation.yml @@ -11,7 +11,7 @@ permissions: jobs: remediate: - uses: kernel/infra/.github/workflows/vuln-remediation.yml@main + uses: kernel/security-workflows/.github/workflows/vuln-remediation.yml@main with: go-version-file: 'server/go.mod' secrets: inherit