ci(security): run security scan daily on this public repo#517
Conversation
There was a problem hiding this comment.
Clean, well-scoped CI refactor. Verified:
git mvrename ofweekly-security.yml→nightly-security.ymlwith scan logic unchangedmerge.ymlreusable reference updated to the new filename; no dangling references to the old name remain anywhere in the repoworkflow_callinterface (inputs.upload-sarif) preserved, so the merge.yml security gate still resolvesconcurrencyblock is valid and correctly usescancel-in-progress: false(right choice for a security scan you don't want interrupted)
One non-blocking nit (inline): the workflow is now named Nightly Security Scan but the cron 0 2 * * 1 runs weekly on Mondays, not nightly. The PR description pre-justifies this as matching the arillso standard, so it's optional — but the 'nightly' name + weekly schedule is a real source of confusion worth tightening (either change the cron or keep the comment explicit about the weekly cadence).
No blocking issues found.
Ansible Container Tests Summary — ✅ SUCCESS
Statistical Summary
Environment Information
|
d82c119 to
076c663
Compare
076c663 to
cacf094
Compare
There was a problem hiding this comment.
All raised issues have been addressed. The cron is now truly nightly (0 2 * * *) matching the Nightly Security Scan name, the file has been renamed to nightly-security.yml, merge.yml updated accordingly, and a concurrency group added to prevent overlapping runs. No new issues in the delta.
Public repos get free GitHub Actions minutes, so the security scan runs daily. Rename weekly-security.yml -> nightly-security.yml, set name 'Nightly Security Scan', cron '0 2 * * *', and add the standard concurrency block. Update the merge.yml reusable reference. Signed-off-by: Simon Bärlocher <s.baerlocher@sbaerlocher.ch>
cacf094 to
3b22019
Compare
Summary
Renames
weekly-security.yml→nightly-security.yml("Nightly Security Scan") and switches the schedule to a daily cron0 2 * * *. Adds the standard concurrency block. Updates themerge.ymlreusable reference.Why
Per the arillso/sbaerlocher repo standard (visibility-based cadence rule): public repos get free GitHub Actions minutes, so the security scan runs daily; private repos run it weekly to save paid minutes.
docker.ansibleis public → daily.Test plan