From f36577effeaa12843eb2da44d481ef1a5cbcebff Mon Sep 17 00:00:00 2001 From: Vikrant Puppala Date: Mon, 29 Jun 2026 12:05:43 +0000 Subject: [PATCH] Use offline cache for Security Scan on fork PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Security Scan job skipped JFrog auth for fork PRs on the assumption that Maven could fetch everything from Central directly. On the protected runner group that assumption is false — connections to repo.maven.apache.org fail with "Remote host terminated the handshake", so the SBOM build (mvn package) could never resolve plugins like spotless-maven-plugin and the job failed before reaching the CVE scan. This blocked every fork PR regardless of its actual CVE posture. Switch the job to the same fork-check + ./.github/actions/setup-maven flow used by prCheck.yml: fork PRs restore the warmed offline cache and run Maven offline; same-repo runs authenticate to JFrog. The warmer already caches the cyclonedx and spotless plugins the SBOM build needs (verified in a warm run). Co-authored-by: Isaac Signed-off-by: Vikrant Puppala --- .github/workflows/securityScan.yml | 73 ++++++++++-------------------- 1 file changed, 23 insertions(+), 50 deletions(-) diff --git a/.github/workflows/securityScan.yml b/.github/workflows/securityScan.yml index 94de356e7..62c936477 100644 --- a/.github/workflows/securityScan.yml +++ b/.github/workflows/securityScan.yml @@ -55,66 +55,39 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + ref: ${{ github.event.pull_request.head.ref || github.ref_name }} + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} - name: Set up JDK 11 uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '11' distribution: 'temurin' - cache: maven - # JFrog OIDC + maven proxy: skipped on fork PRs (no OIDC token from - # GitHub's perspective). Fork PRs still work because all of the - # driver's direct dependencies are published to public Maven Central - # (verified against jdbc-core/pom.xml); without ~/.m2/settings.xml, - # Maven falls through to Central directly. JFrog is just a faster - # mirror, not a source of any artifact the build genuinely needs. - - name: Get JFrog OIDC token - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository + - name: Check if fork + id: fork-check + shell: bash run: | - set -euo pipefail - - ID_TOKEN=$(curl -sLS \ - -H "User-Agent: actions/oidc-client" \ - -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') - echo "::add-mask::${ID_TOKEN}" - - ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ - "https://databricks.jfrog.io/access/api/v1/oidc/token" \ - -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"') - echo "::add-mask::${ACCESS_TOKEN}" - - if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then - echo "FAIL: Could not extract JFrog access token" - exit 1 + if [ "${{ github.event.pull_request.head.repo.full_name }}" != "" ] && \ + [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then + echo "is_fork=true" >> $GITHUB_OUTPUT + echo "This is a forked PR — will use cached dependencies" + else + echo "is_fork=false" >> $GITHUB_OUTPUT + echo "This is a same-repo PR or push — will use JFrog OIDC" fi - echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" - - - name: Configure maven - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository - run: | - set -euo pipefail - mkdir -p ~/.m2 - cat > ~/.m2/settings.xml << EOF - - - - jfrog-central - * - https://databricks.jfrog.io/artifactory/db-maven/ - - - - - jfrog-central - gha-service-account - ${JFROG_ACCESS_TOKEN} - - - - EOF + # Resolve dependencies the same way every other CI job does: fork PRs + # restore the warmed offline cache and run Maven offline (the protected + # runners cannot reach Maven Central directly — TLS handshakes are + # terminated), while same-repo runs authenticate to JFrog. Previously + # this job tried Central directly for forks and always failed at the + # SBOM build before ever reaching the CVE scan. + - name: Setup Maven + uses: ./.github/actions/setup-maven + with: + is-fork: ${{ steps.fork-check.outputs.is_fork }} # Build the project to produce the cyclonedx aggregate SBOM that OSV # will scan. -Ddependency-check.skip=true because the OWASP plugin