.github/workflows/recipe-security-scanner.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,7 @@ concurrency: @@
     permissions:
       contents: read
       pull-requests: write
+      issues: write
       statuses: write
     jobs:
@@ Expand Down Expand Up / @@ -140,6 +141,12 @@ jobs: @@
               # Set permissions for Docker container (scanner user is UID 1000)
               sudo chmod -R 777 "$OUT" || true
+              # Verify secrets are available (without logging details)
+              if [ -z "$OPENAI_API_KEY" ] || [ -z "$TRAINING_DATA_LOW" ] || [ -z "$TRAINING_DATA_MEDIUM" ] || [ -z "$TRAINING_DATA_EXTREME" ]; then
+                echo "❌ One or more required secrets are missing or inaccessible"
+                exit 1
+              fi
               # Initialize overall scan results
               echo '{"scanned_recipes": [], "overall_status": "UNKNOWN", "failed_scans": 0}' > "$OUT/pr_scan_summary.json"
@@ Expand Down @@

.github/workflows/validate-recipe-pr.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ on: @@
     permissions:
       contents: read
       pull-requests: write
+      issues: write
     jobs:
       validate-recipe:
@@ Expand Down Expand Up / @@ -158,7 +159,7 @@ jobs: @@
                     # Check if this is a new file or an update to existing file
                     # Get list of changed files in this PR compared to base branch
-                    CHANGED_FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
+                    CHANGED_FILES=$(git diff --name-only --diff-filter=AM origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
                     EXISTING_FILES=$(find documentation/src/pages/recipes/data/recipes/ -name "$FILENAME.yaml" -o -name "$FILENAME.yml" | grep -v "^$RECIPE_FILE$" || true)
                     if [ -n "$EXISTING_FILES" ] && [ -z "$CHANGED_FILES" ]; then
@@ Expand Down @@

patching recipe scanning workflows for permissions changes #4579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

iandouglas merged 1 commit into main from iand/recipe-scanner-updates

Sep 9, 2025

-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,7 @@ concurrency: @@
     permissions:
       contents: read
       pull-requests: write
+      issues: write
       statuses: write
     jobs:
@@ Expand Down Expand Up / @@ -140,6 +141,12 @@ jobs: @@
               # Set permissions for Docker container (scanner user is UID 1000)
               sudo chmod -R 777 "$OUT" || true
+              # Verify secrets are available (without logging details)
+              if [ -z "$OPENAI_API_KEY" ] || [ -z "$TRAINING_DATA_LOW" ] || [ -z "$TRAINING_DATA_MEDIUM" ] || [ -z "$TRAINING_DATA_EXTREME" ]; then
+                echo "❌ One or more required secrets are missing or inaccessible"
+                exit 1
+              fi
               # Initialize overall scan results
               echo '{"scanned_recipes": [], "overall_status": "UNKNOWN", "failed_scans": 0}' > "$OUT/pr_scan_summary.json"
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ on: @@
     permissions:
       contents: read
       pull-requests: write
+      issues: write
     jobs:
       validate-recipe:
@@ Expand Down Expand Up / @@ -158,7 +159,7 @@ jobs: @@
                     # Check if this is a new file or an update to existing file
                     # Get list of changed files in this PR compared to base branch
-                    CHANGED_FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
+                    CHANGED_FILES=$(git diff --name-only --diff-filter=AM origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
                     EXISTING_FILES=$(find documentation/src/pages/recipes/data/recipes/ -name "$FILENAME.yaml" -o -name "$FILENAME.yml" | grep -v "^$RECIPE_FILE$" || true)
                     if [ -n "$EXISTING_FILES" ] && [ -z "$CHANGED_FILES" ]; then
@@ Expand Down @@

Provide feedback