fix(osv): make PR gate differential so pre-existing debt can't block PRs#51
Open
JacobPEvans-personal wants to merge 1 commit into
Open
fix(osv): make PR gate differential so pre-existing debt can't block PRs#51JacobPEvans-personal wants to merge 1 commit into
JacobPEvans-personal wants to merge 1 commit into
Conversation
The reusable _osv-scan.yml ran a full repo scan on every trigger and failed on ANY finding. Because it is wired as a required PR gate (e.g. nix-ai ci-gate.yml, `if: always()`, not in the Merge Gate allowed-skips), a single open advisory on a transitive dependency anywhere in the tree red-flagged EVERY open PR — including unrelated ones that only touch flake.lock and can never clear that debt. Split into two modes by trigger: - pull_request -> DIFFERENTIAL. Scan the base ref and the head ref and fail ONLY on vulnerabilities the PR introduces, using the official osv-scanner / osv-reporter diff pattern (osv-scanner-reusable-pr.yml). Pre-existing base findings no longer block the PR. - push / schedule / other -> FULL scan (previous behavior), so the default branch still surfaces accumulated/drift debt. Callers that run this on `push:`/`schedule:` (docs/osv-scan.yml) are unaffected. Central-vs-local osv-scanner.toml resolution is unchanged and applies in both modes (and to both refs in differential mode — the file persists across the in-place ref switches). Action digests pinned to v2.3.8 (9a49870), matching the existing scanner pin. Note: docs/osv-scan.yml pins this workflow to a SHA, so it is unaffected until intentionally bumped; nix-ai and mlx-benchmarks track @main and get the change. Assisted-by: Claude:claude-opus-4-8[1m] Claude-Session: https://claude.ai/code/session_01CYau7MWswJikoctB9MUgcZ
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
JacobPEvans-personal
added a commit
to dryvist/nix-ai
that referenced
this pull request
Jun 26, 2026
Complements the now-differential PR gate (dryvist/.github#51): the PR gate fails only on vulnerabilities a PR introduces, so this weekly full scan of the default branch is what surfaces drift — a new advisory landing against an unchanged dependency shows up as a failed scheduled run. uv.lock drift is normally auto-remediated by uv-lock-upgrade.yml; this is the backstop for everything else. Reuses the org _osv-scan.yml (full-scan mode on schedule). Assisted-by: Claude:claude-opus-4-8[1m] Claude-Session: https://claude.ai/code/session_01CYau7MWswJikoctB9MUgcZ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
_osv-scan.ymlran a full repo scan on every trigger and failed on any finding. Wired as a required PR gate (e.g.nix-aici-gate.yml,if: always(), not in the Merge Gateallowed-skips), a single open advisory on a transitive dependency anywhere in the tree red-flagged every open PR — including unrelated ones (e.g.chore(deps): lock file maintenancethat only touchesflake.lock) that can never clear that debt. This is the root cause of nix-ai's lock-file-maintenance PRs always failing CI.Change
Two modes, selected by trigger:
pull_requestosv-scanner→osv-reporterdiff pattern). Pre-existing base findings no longer block the PR.push/schedule/ otherCentral-vs-local
osv-scanner.tomlresolution is unchanged and applies in both modes (and to both refs in differential mode — the file persists across the in-place ref switches). Action digests stay pinned tov2.3.8(9a49870), matching the existing scanner pin;osv-reporter-actionadded at the same pin.Blast radius
@main(nix-ai,mlx-benchmarks) pick this up immediately — their PR gate becomes differential, theirpush/scheduleruns keep full-scan behavior.docs/osv-scan.ymlpins this workflow to a SHA, so it is unaffected until intentionally bumped. It runs onpull_request+push+schedule; when bumped it gains differential PRs and keeps full push/schedule scans.Validation
actionlint .github/workflows/_osv-scan.yml→ clean.google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml(checkout base → scan → checkout head → scan →osv-reporter --old --new --fail-on-vuln=true).run:steps use only GitHub-controlled$GITHUB_BASE_REF/$GITHUB_SHA(quoted) — no untrusted input.Companion:
dryvist/nix-ai#1033clears the current fixableuv.lockdebt and adds a twice-weeklyuv lock --upgradeauto-merge workflow, plus a scheduled full-scan caller of this workflow.