apache · HTHou · Jan 8, 2026 · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026
diff --git a/.github/workflows/vulnerability-check.yml b/.github/workflows/vulnerability-check.yml
@@ -1,7 +1,7 @@
 name: vulnerability-check
 on:
   schedule:
-    # Run at UTC 16:00 every week (CST 00:00 AM)
+    # Run at 16:00 UTC every Sunday (Monday 00:00 CST)
     - cron: "0 16 * * 0"
   workflow_dispatch:
 concurrency:
@@ -15,46 +15,36 @@ env:
 
 jobs:
   dependency-check:
-    strategy:
-      fail-fast: false
-      max-parallel: 15
-      matrix:
-        java: [17]
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
+    if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'apache/iotdb' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
-      - name: Set up JDK ${{ matrix.java }}
+      - name: Set up JDK 17
         uses: actions/setup-java@v4
         with:
           distribution: corretto
-          java-version: ${{ matrix.java }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Cache Maven packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-
+          java-version: 17
+
       - name: Do Maven install
         shell: bash
-        run: mvn clean install -DskipTests
-      - name: Do the dependency-check:check
-        shell: bash
-        run: mvn org.owasp:dependency-check-maven:check -DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{ secrets.OSS_INDEX_TOKEN }}
+        run: mvn $MAVEN_ARGS clean install -DskipTests
+
       - name: Do the dependency-check:aggregate
         shell: bash
-        run: mvn org.owasp:dependency-check-maven:aggregate -DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{ secrets.OSS_INDEX_TOKEN }}
-      - name: Convert UTC to East Asia Standard Time and Extract Date
+        run: mvn $MAVEN_ARGS org.owasp:dependency-check-maven:aggregate -DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{ secrets.OSS_INDEX_TOKEN }} -DnvdApiKey=${{ secrets.NVD_API_KEY }}
+
+      - name: Generate report date for artifact name
         run: |
           utc_time="${{ github.run_started_at }}"
           target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d")
-          echo "DATE_EAST_ASIA=$target_time" >> $GITHUB_ENV
+          echo "REPORT_DATE=$target_time" >> $GITHUB_ENV
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
-          name: vulnerability-check-result-${{ runner.os }}-${{ env.DATE_EAST_ASIA }}
+          name: vulnerability-check-result-${{ env.REPORT_DATE }}
           path: target/dependency-check-report.html
           retention-days: 15