gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(workflow): filter dispatched codeql runs with jq (#260)

Browse Source
This commit is contained in:
davida-ps
2026-06-10 11:23:30 +03:00
committed by GitHub
parent 3cef7aa46b
commit cb58e588c5
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/poll-nvd-cves.yml
+1 -1
View File
@@ -1069,7 +1069,7 @@ jobs:
--event workflow_dispatch \
--limit 50 \
--json databaseId,createdAt,headSha \
--jq --arg since "$DISPATCHED_AT" --arg sha "$EXPECTED_HEAD_SHA" '
| jq -r --arg since "$DISPATCHED_AT" --arg sha "$EXPECTED_HEAD_SHA" '
map(select(.createdAt >= $since and .headSha == $sha))
| sort_by(.createdAt)
| last
scripts/test-nvd-ghsa-consolidation-workflow.mjs
+10
View File
@@ -47,6 +47,16 @@ assert.match(
/git add "\$FEED_PATH" "\$FEED_SIG_PATH" "\$GHSA_FEED_PATH" "\$GHSA_FEED_SIG_PATH" "\$SKILL_FEED_PATH" "\$SKILL_FEED_SIG_PATH"/,
'NVD workflow PR must include both NVD and GHSA feed artifacts',
);
assert.doesNotMatch(
workflow,
/gh run list[\s\S]*--jq --arg/,
'CodeQL run lookup must not pass jq CLI flags through gh --jq',
);
assert.match(
workflow,
/gh run list[\s\S]*--json databaseId,createdAt,headSha \\\s*\n\s+\| jq -r --arg since "\$DISPATCHED_AT" --arg sha "\$EXPECTED_HEAD_SHA"/,
'CodeQL run lookup must filter the gh JSON output with jq variables',
);
assert.match(
ciWorkflow,
/name: NVD \+ GHSA Pipeline Dry Run[\s\S]*node scripts\/test-nvd-ghsa-pipeline-dry-run\.mjs/,