Skip to content

Consolidate snyk scanning GHA #4067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
swcurran merged 2 commits into from
Feb 25, 2026
Merged

Consolidate snyk scanning GHA #4067

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6258dbe
chore: consolidate snyk scanning GHA
esune Feb 24, 2026
2b9b8e7
chore: delete old workflow file
esune Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 0 additions & 57 deletions .github/workflows/snyk-lts.yml
View file
Open in desktop

This file was deleted.

14 changes: 14 additions & 0 deletions .github/workflows/snyk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ on:
push:
branches:
- main
- '**.lts' # LTS release branches (e.g., 0.12.lts, 1.2.lts)
Copy link
Contributor

@swcurran swcurran Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to include only active LTS branches? For example, 1.2.lts and 1.3.lts are still supported, 0.12.lts is not. 1.2.lts support will be dropped in April. We won't do anything (AFAIK) if a vulnerability is found in unsupported LTS branches.

If we dropped 0.X.lts, it would mean we wouldn't need to add aries_cloudagent below. Not a big deal, but there you go...

Copy link
Member Author

@esune esune Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are not going to support 0.12.lts any longer then the aries_cloudagent path becomes obsolete, yes. Happy to remove it if we are not going to release on that branch anymore, it shouldn't hurt leaving it in otherwise.

Copy link
Contributor

@swcurran swcurran Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But if you are going to run on all **.lts branches, we need to keep it. Only drop it if you make the branch selector more precise.

Copy link
Member Author

@esune esune Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then I think I'd leave it so we don't have to continuously update the GHA to pick the right branch - the action will trigger if we push to an LTS branch, which would mean we need a new release for it.

paths:
- aries_cloudagent/** # Legacy directory (older LTS branches)
- acapy_agent/**
- docker/**

Expand Down Expand Up @@ -37,6 +39,18 @@ jobs:
image: acapy-agent
args: --file=docker/Dockerfile

- name: Run Snyk monitor for continuous monitoring
# Continuously monitor for new vulnerabilities in released/releasable code
# See https://support.snyk.io/hc/en-us/articles/360000920818-What-are-the-differences-among-snyk-test-monitor-and-protect
continue-on-error: true
uses: snyk/actions/docker@9adf32b1121593767fc3c057af55b55db032dc04 # 1.0.0
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: acapy-agent
args: --file=docker/Dockerfile
command: monitor

# Replace any "null" security severity values with 0. The null value is used in the case
# of license-related findings, which do not do not indicate a security vulnerability.
# See https://github.com/github/codeql-action/issues/2187 for more context.
Expand Down