ci: add centralized vuln remediation workflow

[ulziibay-kernel]

Thin caller to the reusable 3-stage pipeline (triage → fix → PR) in kernel/infra. Per-repo config in .github/vuln-remediation.json.

Made with Cursor

---

Note

Medium Risk
Adds an automated scheduled GitHub Actions workflow that can open PRs and push changes, which impacts repo contents and CI behavior. Risk is moderate because it delegates execution to an external reusable workflow on main.

Overview
Introduces a new Vulnerability Remediation GitHub Actions workflow (.github/workflows/vuln-remediation.yml) that runs on a weekly schedule and via manual dispatch, with permissions to write contents and create PRs.

The workflow delegates remediation to kernel/security-workflows/.github/workflows/vuln-remediation.yml@main, enables setup-bun, and inherits repository secrets; adds socket.yml with version: 2 for tooling configuration.

^{Reviewed by Cursor Bugbot for commit 3d06ccc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mcp	Ready	Preview, Comment	Apr 10, 2026 5:24pm

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 3f22641. Configure here.}

[cursor]

Mutable ref with secrets inherit widens supply-chain risk

Medium Severity

The reusable workflow uses a mutable @main branch reference. With secrets: inherit and contents: write/pull-requests: write permissions, this introduces a supply-chain risk where changes to kernel/infra's main branch could execute with elevated privileges and full secret access here.

 

^{Reviewed by Cursor Bugbot for commit 3f22641. Configure here.}