Skip to content

Use offline cache for Security Scan on fork PRs#1514

Merged
vikrantpuppala merged 1 commit into
mainfrom
fix/security-scan-fork-offline-cache
Jun 29, 2026
Merged

Use offline cache for Security Scan on fork PRs#1514
vikrantpuppala merged 1 commit into
mainfrom
fix/security-scan-fork-offline-cache

Conversation

@vikrantpuppala

Copy link
Copy Markdown
Collaborator

Problem

The Security Scan check fails on every fork PR (e.g. #1507), and not on a CVE finding — it dies earlier, at the SBOM build:

spotless-maven-plugin:pom:2.39.0 (absent): Could not transfer ... from central
(https://repo.maven.apache.org/maven2): Remote host terminated the handshake

securityScan.yml skips JFrog auth for fork PRs (no OIDC token) on the assumption — see the old comment — that Maven can fetch everything from Maven Central directly. On the databricks-protected-runner-group, that assumption is false: connections to repo.maven.apache.org are refused (Remote host terminated the handshake). So mvn package can't resolve build plugins and the job fails before osv-scanner ever runs. The CVE step is skipped. This blocks fork PRs regardless of their actual CVE posture.

Fix

Switch the job to the same dependency-resolution flow every other CI job already uses — fork-check + ./.github/actions/setup-maven:

  • Fork PRs restore the warmed offline cache and run Maven offline (no Central, no JFrog creds needed).
  • Same-repo runs authenticate to JFrog as before.

The cache warmer already downloads the plugins the SBOM build needs — verified in a warm run that both cyclonedx-maven-plugin:2.9.1 and spotless-maven-plugin:2.39.0 are cached.

This also aligns the checkout with the rest of CI (checks out the fork's head ref).

Note on the CVE baseline

Separately, the scheduled (non-fork) Security Scan on main can fail on real OSV-Scanner CVE findings — that's a genuine dependency-CVE signal and unaffected by this change. This PR only fixes the fork-PR case where the build couldn't even run.

NO_CHANGELOG=true

This pull request and its description were written by Isaac.

The Security Scan job skipped JFrog auth for fork PRs on the assumption
that Maven could fetch everything from Central directly. On the protected
runner group that assumption is false — connections to
repo.maven.apache.org fail with "Remote host terminated the handshake",
so the SBOM build (mvn package) could never resolve plugins like
spotless-maven-plugin and the job failed before reaching the CVE scan.
This blocked every fork PR regardless of its actual CVE posture.

Switch the job to the same fork-check + ./.github/actions/setup-maven
flow used by prCheck.yml: fork PRs restore the warmed offline cache and
run Maven offline; same-repo runs authenticate to JFrog. The warmer
already caches the cyclonedx and spotless plugins the SBOM build needs
(verified in a warm run).

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@vikrantpuppala vikrantpuppala requested a review from a team as a code owner June 29, 2026 12:06
@vikrantpuppala vikrantpuppala enabled auto-merge (squash) June 29, 2026 12:15
@vikrantpuppala vikrantpuppala merged commit 229e362 into main Jun 29, 2026
24 of 26 checks passed
@vikrantpuppala vikrantpuppala deleted the fix/security-scan-fork-offline-cache branch June 29, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants