ci: route composer-audit through magento-ci-workflows reusable

[Sebastian80]

Problem

composer-audit / Composer Audit from the netresearch/typo3-ci-workflows reusable security.yml fails on every master push because it runs composer install without authentication to repo.magento.com, breaking on magento/framework, magento/module-backend and magento/module-config. Those packages live on the Magento Marketplace repo which requires MAGENTO_REPO_USERNAME / MAGENTO_REPO_PASSWORD. The TYPO3-oriented reusable workflow has no way to pass Marketplace credentials through.

Solution

This repo now calls a Magento-aware reusable workflow that accepts Marketplace credentials as workflow secrets.

• composer-audit (typo3 reusable): keep for gitleaks / preflight / opengrep SAST. Set skip-composer-audit: true so its broken composer-audit step is skipped.
• magento-composer-audit (new): calls netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.0 with MAGENTO_REPO_USERNAME / MAGENTO_REPO_PASSWORD passed in as workflow secrets. Runs composer install --no-dev against repo.magento.com with proper auth, then composer audit.

Secret provisioning

MAGENTO_REPO_USERNAME and MAGENTO_REPO_PASSWORD are mirrored from HashiCorp Vault (ci/<gitlab-project-path> per CI-390 — single source of truth) into this repo's Actions secrets. To rotate: update the Vault entry, then re-run the sync script (/tmp/sync_vault_to_gh.sh in the session that produced this PR; will be moved to a permanent location).

Coverage

Coverage	Before	After
gitleaks (secret scanning)	✓	✓
preflight (event gate)	✓	✓
dependency-review (PR-diff CVE)	✓	✓
opengrep (SAST)	✓	✓
composer-audit (CVE detection on installed deps)	✗ broken	✓ working with Marketplace auth

Test plan

• PR-CI: magento-composer-audit job runs composer install and reaches composer audit step (validates Marketplace auth + composer resolve)
• After merge: master-push security workflow run is green (vs. today's failure)

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/security.yml

Package	Version	License	Issue Type
netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml	0.1.3	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml	0.1.3	Unknown	Unknown

Scanned Files

• .github/workflows/security.yml

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[Sebastian80]

Nach Rücksprache mit Sebastian Mendel: der GitHub-Actions-Security-Workflow wird aus den GitHub-Magento-Modul-Repos zurückgedreht.

Die GitHub-Repos sind stripped Mirrors der GitLab-Originale (force-Mirror bei Tag-Release). Security-Coverage gehört auf die GitLab-Source-Seite (Tracking via CI-398), nicht auf den Mirror.

Die zugehörige Reusable Workflow Library netresearch/magento-ci-workflows ist ebenfalls gelöscht.