fix(stt): better error logging and smarter DM when STT lazy-install fails #7229
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OSV-Scanner | |
| # Scans lockfiles (uv.lock, package-lock.json) against the OSV vulnerability | |
| # database. Runs on every PR that touches a lockfile and on a weekly schedule | |
| # against main. | |
| # | |
| # This is detection-only — OSV-Scanner does NOT open PRs or modify pins. | |
| # It reports known CVEs in currently-pinned dependency versions so we can | |
| # decide when and how to patch on our own schedule. Our pinning strategy | |
| # (full SHA / exact version) is preserved; only the notification signal | |
| # is added. | |
| # | |
| # Complements the existing supply-chain-audit.yml workflow (which scans | |
| # for malicious code patterns in PR diffs) by covering the orthogonal | |
| # "currently-pinned dep became known-vulnerable" case. | |
| # | |
| # Uses Google's officially-recommended reusable workflow, pinned by SHA. | |
| # Findings land in the repo's Security tab (Code Scanning > OSV-Scanner). | |
| # fail-on-vuln is disabled so the job does not block merges on pre-existing | |
| # vulnerabilities in pinned deps that we may need to patch deliberately. | |
| on: | |
| # No paths filter — the job must always run so the required check | |
| # reports a status (path-gated workflows leave checks "pending" forever | |
| # when no matching files change, which blocks merge). | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| paths: | |
| - "uv.lock" | |
| - "pyproject.toml" | |
| - "package.json" | |
| - "package-lock.json" | |
| - "website/package-lock.json" | |
| schedule: | |
| # Weekly scan against main — catches CVEs published after merge for | |
| # deps that haven't changed since. | |
| - cron: "0 9 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| # Required by the reusable workflow to upload SARIF to the Security tab. | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| scan: | |
| name: Scan lockfiles | |
| uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 | |
| with: | |
| # Scan explicit lockfiles rather than recursing, so we only look at | |
| # the three sources of truth and skip vendored / test / worktree dirs. | |
| scan-args: |- | |
| --lockfile=uv.lock | |
| --lockfile=package-lock.json | |
| --lockfile=website/package-lock.json | |
| fail-on-vuln: false |