From f55c3273b99425f4697962792d1d4addb3a8145b Mon Sep 17 00:00:00 2001 From: Hendrik Mennen Date: Fri, 10 Jul 2026 17:05:26 +0200 Subject: [PATCH] ci: make dependency scan a required release gate (CRA Annex I Part I(1)) Expose dependency-scan as a reusable workflow (workflow_call) and gate publish-studio-all on it, so a known-vulnerable dependency blocks the release and the platform publish pipelines that cascade from it. Also drop the stale internal compliance/cra/ path reference from the scan comment. SAST (CodeQL) and secret scanning are provided organisation-wide via GitHub Advanced Security default setup, so no repo-level CodeQL workflow is needed. --- .github/workflows/dependency-scan.yml | 4 +++- .github/workflows/publish-studio-all.yml | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index fa379b68..33b2734c 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -1,6 +1,7 @@ # Fails CI when OneWare Studio depends on a NuGet package with a known # vulnerability. Supports the EU Cyber Resilience Act (Regulation (EU) 2024/2847), -# Annex I Part I(1) and Part II. See compliance/cra/ for details. +# Annex I Part I(1) and Part II. Also exposed as a reusable workflow +# (workflow_call) so the release pipeline can use it as a required gate. name: Dependency Vulnerability Scan @@ -12,6 +13,7 @@ on: schedule: - cron: "17 6 * * 1" workflow_dispatch: + workflow_call: permissions: contents: read diff --git a/.github/workflows/publish-studio-all.yml b/.github/workflows/publish-studio-all.yml index 57796882..9ba7109d 100644 --- a/.github/workflows/publish-studio-all.yml +++ b/.github/workflows/publish-studio-all.yml @@ -5,8 +5,16 @@ on: workflow_dispatch: jobs: + # CRA Annex I Part I(1) release gate: block the release — and the platform + # publish pipelines that cascade from it — if any dependency has a known + # vulnerability. + scan: + name: Dependency vulnerability gate + uses: ./.github/workflows/dependency-scan.yml + release: name: Release + needs: scan runs-on: ubuntu-latest permissions: contents: write