Aliya Ai Mvp voice Assistant #7230
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OSV-Scanner | |
| # Scans lockfiles (uv.lock, package-lock.json) against the OSV vulnerability | |
| # database. Runs on every PR that touches a lockfile and on a weekly schedule | |
| # against main. | |
| # | |
| # This is detection-only — OSV-Scanner does NOT open PRs or modify pins. | |
| # It reports known CVEs in currently-pinned dependency versions so we can | |
| # decide when and how to patch on our own schedule. Our pinning strategy | |
| # (full SHA / exact version) is preserved; only the notification signal | |
| # is added. | |
| # | |
| # Complements the existing supply-chain-audit.yml workflow (which scans | |
| # for malicious code patterns in PR diffs) by covering the orthogonal | |
| # "currently-pinned dep became known-vulnerable" case. | |
| # | |
| # Uses Google's officially-recommended reusable workflow, pinned by SHA. | |
| # Findings land in the repo's Security tab (Code Scanning > OSV-Scanner). | |
| # fail-on-vuln is disabled so the job does not block merges on pre-existing | |
| # vulnerabilities in pinned deps that we may need to patch deliberately. | |
| on: | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'uv.lock' | |
| - 'pyproject.toml' | |
| - 'package.json' | |
| - 'package-lock.json' | |
| - 'ui-tui/package.json' | |
| - 'ui-tui/package-lock.json' | |
| - 'website/package.json' | |
| - 'website/package-lock.json' | |
| - '.github/workflows/osv-scanner.yml' | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'uv.lock' | |
| - 'pyproject.toml' | |
| - 'package.json' | |
| - 'package-lock.json' | |
| - 'ui-tui/package-lock.json' | |
| - 'website/package-lock.json' | |
| schedule: | |
| # Weekly scan against main — catches CVEs published after merge for | |
| # deps that haven't changed since. | |
| - cron: '0 9 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| # Required by the reusable workflow to upload SARIF to the Security tab. | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| scan: | |
| name: Scan lockfiles | |
| uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5 # v2.3.5 | |
| with: | |
| # Scan explicit lockfiles rather than recursing, so we only look at | |
| # the three sources of truth and skip vendored / test / worktree dirs. | |
| scan-args: |- | |
| --lockfile=uv.lock | |
| --lockfile=ui-tui/package-lock.json | |
| --lockfile=website/package-lock.json | |
| fail-on-vuln: false |