Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/dependency-scan.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Fails CI when OneWare Studio depends on a NuGet package with a known
# vulnerability. Supports the EU Cyber Resilience Act (Regulation (EU) 2024/2847),
# Annex I Part I(1) and Part II. See compliance/cra/ for details.
# Annex I Part I(1) and Part II. Also exposed as a reusable workflow
# (workflow_call) so the release pipeline can use it as a required gate.

name: Dependency Vulnerability Scan

Expand All @@ -12,6 +13,7 @@ on:
schedule:
- cron: "17 6 * * 1"
workflow_dispatch:
workflow_call:

permissions:
contents: read
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/publish-studio-all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,16 @@
workflow_dispatch:

jobs:
# CRA Annex I Part I(1) release gate: block the release — and the platform
# publish pipelines that cascade from it — if any dependency has a known
# vulnerability.
scan:
name: Dependency vulnerability gate
uses: ./.github/workflows/dependency-scan.yml

release:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
name: Release
needs: scan
runs-on: ubuntu-latest
permissions:
contents: write
Expand Down
Loading