Skip to content

ci: dependency-scan release gate (CRA Annex I Part I(1))#310

Merged
hendrikmennen merged 1 commit into
mainfrom
cra/codeql-and-release-gate
Jul 10, 2026
Merged

ci: dependency-scan release gate (CRA Annex I Part I(1))#310
hendrikmennen merged 1 commit into
mainfrom
cra/codeql-and-release-gate

Conversation

@hendrikmennen

@hendrikmennen hendrikmennen commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Makes the vulnerable-dependency scan a required release gate for OneWare Studio, closing the remaining EU CRA (Regulation (EU) 2024/2847) Annex I Part I(1) technical gap.

Changes

  • Dependency scan as a required release gate: dependency-scan.yml now also exposes workflow_call. publish-studio-all.yml runs it as a scan job and the release job needs: scan. A known-vulnerable NuGet dependency now blocks the GitHub Release, and since every platform publish requires workflow_run.conclusion == 'success', the entire publish cascade is blocked too.
  • Removed a stale internal compliance/cra/ path reference from the scan comment.

Note on SAST

CodeQL and secret scanning are enabled organisation-wide via GitHub Advanced Security default setup, so no repo-level CodeQL workflow is added here.

CRA mapping

  • Annex I Part I(1) — no known exploitable vulnerabilities at release (now enforced).
  • Annex I Part II — vulnerability handling (dependency scanning + org-wide SAST).

No product code changes; CI only.

Expose dependency-scan as a reusable workflow (workflow_call) and gate
publish-studio-all on it, so a known-vulnerable dependency blocks the
release and the platform publish pipelines that cascade from it.
Also drop the stale internal compliance/cra/ path reference from the
scan comment.

SAST (CodeQL) and secret scanning are provided organisation-wide via
GitHub Advanced Security default setup, so no repo-level CodeQL workflow
is needed.
@hendrikmennen hendrikmennen force-pushed the cra/codeql-and-release-gate branch from 040349b to f55c327 Compare July 10, 2026 15:22
@hendrikmennen hendrikmennen changed the title ci: CodeQL SAST + dependency-scan release gate (CRA Annex I Part I(1)) ci: dependency-scan release gate (CRA Annex I Part I(1)) Jul 10, 2026
@hendrikmennen hendrikmennen merged commit 7dadc31 into main Jul 10, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant