Skip to content

fix(ci): pin osv-scanner-action to v2.3.3 and grant contents:write for docs#573

Merged
kcenon merged 1 commit into
mainfrom
fix/ci-osv-scanner-version-and-docs-permissions
Mar 11, 2026
Merged

fix(ci): pin osv-scanner-action to v2.3.3 and grant contents:write for docs#573
kcenon merged 1 commit into
mainfrom
fix/ci-osv-scanner-version-and-docs-permissions

Conversation

@kcenon

@kcenon kcenon commented Mar 11, 2026

Copy link
Copy Markdown
Owner

What

Fix two pre-existing CI failures that have been occurring consistently since 2026-03-06.

Change Type

  • Bugfix (CI/workflow fixes)

Why

Related Issues

Problem 1: OSV Vulnerability Scan failure

google/osv-scanner-action@v2 does not exist as a major-version tag in the upstream repository. Only specific patch versions exist (latest: v2.3.3). GitHub Actions failed to resolve the action reference with:

Unable to resolve action `google/osv-scanner-action@v2`, unable to find version `v2`

Problem 2: Generate-Documentation startup_failure

The calling workflow (build-Doxygen.yaml) invokes the reusable workflow kcenon/common_system/.github/workflows/doxygen.yml@main, which deploys to GitHub Pages and requires contents: write permission. The calling workflow had no explicit permissions block, causing a pre-flight permission validation failure (startup_failure) before the job could run.

Both failures were pre-existing before PR #572 and unrelated to the v0.3.0 version bump.

Who

Required Approvals

  • Repository maintainer

When

Urgency

  • Normal - Follow standard review process

Where

Files Changed

File Change
.github/workflows/osv-scanner.yml Pin @v2@v2.3.3 (both scan steps)
.github/workflows/build-Doxygen.yaml Add permissions: contents: write

How

Implementation Details

OSV Scanner fix: Pinned both google/osv-scanner-action/osv-scanner-action steps from the non-existent @v2 to the specific stable release @v2.3.3.

Doxygen permissions fix: Added permissions: contents: write at the workflow level. This grants the called reusable workflow the permission it needs to write to the gh-pages branch. Without this, GitHub's pre-flight permission check fails and the job never starts.

Testing Done

  • Verified v2.3.3 exists in google/osv-scanner-action tags
  • Verified v4 exists for peaceiris/actions-gh-pages (used in callee)
  • CI results pending

Breaking Changes

None.

…r docs

Two pre-existing CI failures resolved:

1. OSV Vulnerability Scan: google/osv-scanner-action@v2 does not exist as a
   major-version tag. The repository only publishes specific patch versions
   (v2.3.3 is latest). Pinned both scan steps to v2.3.3.

2. Generate-Documentation: startup_failure caused by the reusable workflow
   (kcenon/common_system/.github/workflows/doxygen.yml) requiring
   `contents: write` permission (to deploy gh-pages) while the calling
   workflow had no explicit permissions block. Added `permissions: contents: write`
   at the workflow level so the called workflow can satisfy the permission
   requirement.

Both failures have been occurring consistently since 2026-03-06 and are
unrelated to the v0.3.0 version bump in #572.
@github-actions

Copy link
Copy Markdown
Contributor

📊 Performance Benchmark Results

Performance Benchmark Report

No benchmark data available.

ℹ️ No baseline reference available

This is the first benchmark run or baseline file is missing.

@kcenon kcenon merged commit 634de1f into main Mar 11, 2026
27 checks passed
@kcenon kcenon deleted the fix/ci-osv-scanner-version-and-docs-permissions branch March 11, 2026 10:51
kcenon added a commit that referenced this pull request Apr 13, 2026
…r docs (#573)

Two pre-existing CI failures resolved:

1. OSV Vulnerability Scan: google/osv-scanner-action@v2 does not exist as a
   major-version tag. The repository only publishes specific patch versions
   (v2.3.3 is latest). Pinned both scan steps to v2.3.3.

2. Generate-Documentation: startup_failure caused by the reusable workflow
   (kcenon/common_system/.github/workflows/doxygen.yml) requiring
   `contents: write` permission (to deploy gh-pages) while the calling
   workflow had no explicit permissions block. Added `permissions: contents: write`
   at the workflow level so the called workflow can satisfy the permission
   requirement.

Both failures have been occurring consistently since 2026-03-06 and are
unrelated to the v0.3.0 version bump in #572.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant