diff --git a/.github/workflows/securityScan.yml b/.github/workflows/securityScan.yml index 94de356e7..62c936477 100644 --- a/.github/workflows/securityScan.yml +++ b/.github/workflows/securityScan.yml @@ -55,66 +55,39 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + ref: ${{ github.event.pull_request.head.ref || github.ref_name }} + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} - name: Set up JDK 11 uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '11' distribution: 'temurin' - cache: maven - # JFrog OIDC + maven proxy: skipped on fork PRs (no OIDC token from - # GitHub's perspective). Fork PRs still work because all of the - # driver's direct dependencies are published to public Maven Central - # (verified against jdbc-core/pom.xml); without ~/.m2/settings.xml, - # Maven falls through to Central directly. JFrog is just a faster - # mirror, not a source of any artifact the build genuinely needs. - - name: Get JFrog OIDC token - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository + - name: Check if fork + id: fork-check + shell: bash run: | - set -euo pipefail - - ID_TOKEN=$(curl -sLS \ - -H "User-Agent: actions/oidc-client" \ - -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') - echo "::add-mask::${ID_TOKEN}" - - ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ - "https://databricks.jfrog.io/access/api/v1/oidc/token" \ - -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"') - echo "::add-mask::${ACCESS_TOKEN}" - - if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then - echo "FAIL: Could not extract JFrog access token" - exit 1 + if [ "${{ github.event.pull_request.head.repo.full_name }}" != "" ] && \ + [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then + echo "is_fork=true" >> $GITHUB_OUTPUT + echo "This is a forked PR — will use cached dependencies" + else + echo "is_fork=false" >> $GITHUB_OUTPUT + echo "This is a same-repo PR or push — will use JFrog OIDC" fi - echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" - - - name: Configure maven - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository - run: | - set -euo pipefail - mkdir -p ~/.m2 - cat > ~/.m2/settings.xml << EOF - - - - jfrog-central - * - https://databricks.jfrog.io/artifactory/db-maven/ - - - - - jfrog-central - gha-service-account - ${JFROG_ACCESS_TOKEN} - - - - EOF + # Resolve dependencies the same way every other CI job does: fork PRs + # restore the warmed offline cache and run Maven offline (the protected + # runners cannot reach Maven Central directly — TLS handshakes are + # terminated), while same-repo runs authenticate to JFrog. Previously + # this job tried Central directly for forks and always failed at the + # SBOM build before ever reaching the CVE scan. + - name: Setup Maven + uses: ./.github/actions/setup-maven + with: + is-fork: ${{ steps.fork-check.outputs.is_fork }} # Build the project to produce the cyclonedx aggregate SBOM that OSV # will scan. -Ddependency-check.skip=true because the OWASP plugin