Skip to content

Final pipeline changes#30

Open
vipin230 wants to merge 3 commits intomainfrom
final-pipeline-changes
Open

Final pipeline changes#30
vipin230 wants to merge 3 commits intomainfrom
final-pipeline-changes

Conversation

@vipin230
Copy link
Collaborator

@vipin230 vipin230 commented Mar 4, 2026
edited by sandhi18
Loading

Description

This pull request updates the CI workflow and Grype scan workflows to improve flexibility, security, and reliability for PR checks and image scanning. The main changes include adding new input parameters for event and branch context, improving token handling for GitHub authentication, refactoring the BlackDuck Polaris SAST scan job to use a reusable workflow, and enhancing Grype scan logic to avoid AWS ECR rate limits and deduplicate vulnerability reporting.

Workflow Inputs and Context Passing

  • Added new inputs github-event-name and github-branch-name to .github/workflows/ci-main-pull-request.yml and propagated these to relevant jobs, enabling workflows to receive GitHub event and branch context for more accurate PR comment detection and branch-specific logic. [1] [2] [3] [4] [5]
  • Added grype-image-skip-aws input to both .github/workflows/ci-main-pull-request.yml and .github/workflows/grype.yml to allow skipping Grype scans on AWS ECR images, preventing rate limit issues when images are already scanned by other tools. [1] [2] [3] [4] [5]

Security and Token Handling

  • Updated all usages of GITHUB_TOKEN to prefer GH_TOKEN if available, improving support for custom tokens and private repository access in CI jobs and git configuration. [1] [2] [3]

BlackDuck Polaris SAST Scan Refactor

  • Refactored the BlackDuck Polaris SAST scan job in .github/workflows/ci-main-pull-request.yml to use the reusable workflow chef/common-github-actions/.github/workflows/polaris-sast.yml@main, consolidating configuration and simplifying maintenance. All relevant inputs are now passed directly to the reusable workflow.

Grype Scan Improvements

  • Updated Grype scan logic in .github/workflows/grype.yml to deduplicate vulnerabilities by CVE, package, and version, providing more accurate counts for critical and high severity findings.

These changes improve the maintainability, reliability, and accuracy of CI and security workflows, especially for complex PR and image scanning scenarios.

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@vipin230 vipin230 force-pushed the final-pipeline-changes branch from 7f0b67e to 42ddab1 Compare March 4, 2026 11:25
sandhi18 and others added 2 commits March 4, 2026 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianLoomis brianLoomis Awaiting requested review from brianLoomis brianLoomis is a code owner

@sean-sype-simmons sean-sype-simmons Awaiting requested review from sean-sype-simmons sean-sype-simmons is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vipin230 @sandhi18