Skip to content

ci(sec-scorecard): add 20m timeout and disable unconfigured repo_token#6469

Open
Ian-wang-liyang wants to merge 1 commit into
mainfrom
6323-scorecard-timeout
Open

ci(sec-scorecard): add 20m timeout and disable unconfigured repo_token#6469
Ian-wang-liyang wants to merge 1 commit into
mainfrom
6323-scorecard-timeout

Conversation

@Ian-wang-liyang

@Ian-wang-liyang Ian-wang-liyang commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Which problem does the PR fix?

Closes #6323.

What's in this PR?

Hardens the non-blocking Security - Scorecard workflow (.github/workflows/sec-scorecard.yaml).

  1. timeout-minutes: 20 on the analysis job. The job had no timeout, so a transient GitHub GraphQL 503 mid-analysis (run 26908556266) made the action retry against the degraded endpoint for 1h5m before failing. The timeout now fails fast on upstream outages.

  2. Commented out the repo_token line. It referenced secrets.SCORECARD_TOKEN, which is not configured anywhere in the repo or org (single reference, no README badge, no docs). Every run logged The 'repo_token' variable is empty. Using the 'INPUT_INTERNAL_DEFAULT_TOKEN' variable instead. and fell back to GITHUB_TOKEN. Commenting it out restores the upstream scorecard-action starter default, silences the per-run auth notice and the IDE Context access might be invalid: SCORECARD_TOKEN diagnostic, and keeps the adjacent "Uncomment the line below…" comment accurate. Reversible by one uncomment if an admin later adds the PAT to enable full Branch-Protection scoring.

Deliberately not done (out of scope for #6323):

  • No 503 retry wrapper. Retry is optional per the issue, a re-run clears the transient 503, and the job is non-blocking. Retrying a uses: step would require a third-party retry action (Wandalen/wretry); this repo uses zero third-party retry deps (only bash loops / curl --retry / scripts/harbor-retry.sh). The 20m timeout already removes the 1h hang.

Follow-ups (separate issues/PRs):

  • An org/admin can add the SCORECARD_TOKEN PAT and uncomment the line to enable the OSSF Branch-Protection check.
  • ~36 jobs across ~20 workflow files lack timeout-minutes. Worth a separate hardening pass; highest-risk (Harbor + GitHub API callers): chart-release-public.yaml (release/post-release), chart-build-dev.yaml (build), chart-release-artifact-verify.yaml (verify), chart-promote-rc.yaml (promote-rc).

Checklist

Please make sure to follow our Contributing Guide.

Before opening the PR:

  • In the repo's root dir, run make go.update-golden-only.
  • There is no other open pull request for the same update/change.
  • Tests for charts are added (if needed).
  • In-repo documentation are updated (if needed).

After opening the PR:

  • Did you sign our CLA (Contributor License Agreement)? It will show once you open the PR.
  • Did all checks/tests pass in the PR?

@Ian-wang-liyang @claude
ci(sec-scorecard): add 20m timeout and disable unconfigured repo_token
582803c 
The Scorecard analysis job had no timeout-minutes, so a transient GitHub
GraphQL 503 mid-analysis made the action retry against the degraded endpoint
for 1h5m before failing (run 26908556266). Add timeout-minutes: 20 to fail
fast on upstream outages.

The repo_token line referenced secrets.SCORECARD_TOKEN, which is not
configured anywhere in the repo or org. Every run logged an auth notice and
fell back to GITHUB_TOKEN. Comment the line out to restore the upstream
scorecard-action starter default, silencing the log noise and the IDE
context-access diagnostic. Reversible by an admin who later adds the PAT.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Ian-wang-liyang Ian-wang-liyang marked this pull request as ready for review June 26, 2026 16:51
@Ian-wang-liyang Ian-wang-liyang requested a review from a team as a code owner June 26, 2026 16:51
@Ian-wang-liyang Ian-wang-liyang requested review from bkenez and Copilot and removed request for a team June 26, 2026 16:51
Copilot AI reviewed Jun 26, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the non-blocking Security - Scorecard GitHub Actions workflow by preventing long-running hangs during upstream GitHub API degradation and by removing an ineffective, unconfigured token input.

Changes:

  • Add a timeout-minutes: 20 limit to the analysis job to fail fast instead of consuming excessive runner time during transient outages.
  • Comment out repo_token: ${{ secrets.SCORECARD_TOKEN }} so the workflow uses the action’s default token behavior without emitting “repo_token is empty” notices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@bkenez bkenez Awaiting requested review from bkenez bkenez is a code owner automatically assigned from camunda/distribution

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/ci tool/github-actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: harden Security - Scorecard workflow against transient GraphQL 503 failures

2 participants

@Ian-wang-liyang