From e915e4f65c1eedb3d4707b860df24f98a62e78fa Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian.ertner@netresearch.de>
Date: Mon, 1 Jun 2026 15:15:20 +0200
Subject: [PATCH 1/4] ci: route composer-audit through magento-ci-workflows
 reusable

The typo3-ci-workflows security.yml composer-audit job fails on Magento
module repos because it runs 'composer install' without Marketplace auth,
breaking on magento/framework, magento/module-backend etc. that live on
repo.magento.com.

This patch:
- Sets skip-composer-audit: true on the typo3-ci-workflows reusable call,
  keeping gitleaks/preflight/opengrep SAST coverage active.
- Adds a magento-composer-audit job calling
  netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.0
  which receives Marketplace credentials as workflow secrets
  (MAGENTO_REPO_USERNAME / MAGENTO_REPO_PASSWORD) synced from HashiCorp
  Vault path ci/<gitlab-project-path> per repo (CI-390 source of truth).

Restores composer audit coverage on master pushes without duplicating
Marketplace credentials into long-lived GH org secrets.

Signed-off-by: Sebastian <sebastian.ertner@netresearch.de>
---
 .github/workflows/security.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 1010656..2b63af7 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -21,3 +21,11 @@ jobs:
 
   composer-audit:
     uses: netresearch/typo3-ci-workflows/.github/workflows/security.yml@main
+    with:
+      skip-composer-audit: true
+
+  magento-composer-audit:
+    uses: netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.0
+    secrets:
+      MAGENTO_REPO_USERNAME: ${{ secrets.MAGENTO_REPO_USERNAME }}
+      MAGENTO_REPO_PASSWORD: ${{ secrets.MAGENTO_REPO_PASSWORD }}

From d1c710cc779c3360212eceaf02be8841e29a8e2d Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian.ertner@netresearch.de>
Date: Mon, 1 Jun 2026 15:23:59 +0200
Subject: [PATCH 2/4] ci: bump magento-ci-workflows to v0.1.1

v0.1.1 registers repo.magento.com as a composer repository before
running composer install, fixing 'magento/framework could not be found'
errors observed in v0.1.0 runs.

Signed-off-by: Sebastian <sebastian.ertner@netresearch.de>
---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 2b63af7..6904e76 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -25,7 +25,7 @@ jobs:
       skip-composer-audit: true
 
   magento-composer-audit:
-    uses: netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.0
+    uses: netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.1
     secrets:
       MAGENTO_REPO_USERNAME: ${{ secrets.MAGENTO_REPO_USERNAME }}
       MAGENTO_REPO_PASSWORD: ${{ secrets.MAGENTO_REPO_PASSWORD }}

From 13bedd91f62cabb741e5d5388ec2607c391244c5 Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian.ertner@netresearch.de>
Date: Mon, 1 Jun 2026 15:29:30 +0200
Subject: [PATCH 3/4] ci: bump magento-ci-workflows to v0.1.2

v0.1.2 adds --no-plugins to composer install + audit, bypassing the
allow-plugins block on magento/composer-dependency-version-audit-plugin
and other Marketplace composer plugins.

Signed-off-by: Sebastian <sebastian.ertner@netresearch.de>
---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6904e76..6c29828 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -25,7 +25,7 @@ jobs:
       skip-composer-audit: true
 
   magento-composer-audit:
-    uses: netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.1
+    uses: netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.2
     secrets:
       MAGENTO_REPO_USERNAME: ${{ secrets.MAGENTO_REPO_USERNAME }}
       MAGENTO_REPO_PASSWORD: ${{ secrets.MAGENTO_REPO_PASSWORD }}

From 91c1d1c0cfb89bd12086653f7e6d64f142796fc7 Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian.ertner@netresearch.de>
Date: Mon, 1 Jun 2026 15:32:53 +0200
Subject: [PATCH 4/4] ci: bump magento-ci-workflows to v0.1.3

v0.1.3 uses --abandoned=report so abandoned packages (laminas/laminas-loader
etc.) are visible but don't fail the audit. Real CVE advisories still fail.

Signed-off-by: Sebastian <sebastian.ertner@netresearch.de>
---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6c29828..02349d6 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -25,7 +25,7 @@ jobs:
       skip-composer-audit: true
 
   magento-composer-audit:
-    uses: netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.2
+    uses: netresearch/magento-ci-workflows/.github/workflows/composer-audit.yml@v0.1.3
     secrets:
       MAGENTO_REPO_USERNAME: ${{ secrets.MAGENTO_REPO_USERNAME }}
       MAGENTO_REPO_PASSWORD: ${{ secrets.MAGENTO_REPO_PASSWORD }}