Skip to content

Improvements to Dependabot and Workflow Configs, New .trivyignore File#475

Merged
hhund merged 1 commit intomainfrom
actions_and_dependabot_improvements
Apr 20, 2026
Merged

Improvements to Dependabot and Workflow Configs, New .trivyignore File#475
hhund merged 1 commit intomainfrom
actions_and_dependabot_improvements

Conversation

@hhund
Copy link
Copy Markdown
Member

@hhund hhund commented Apr 19, 2026

  • added dependabot group for github-actions
  • added org.hl7.fhir CVE IDs to .trivyignore
  • actions version upgrades
  • reconfigured codeql, added actions scan
  • added category for trivy scan result upload

Merge direct to main so that we don't have to wait for the next release.

@hhund
improvements to dependabot and workflow configs, new .trivyignore file
94097d1 
- added dependabot group for github-actions
- added org.hl7.fhir CVE IDs to .trivyignore
- actions version upgrades
- reconfigured codeql, added actions scan
- added category for trivy scan result upload
@hhund hhund requested a review from schwzr April 19, 2026 15:55
@hhund hhund self-assigned this Apr 19, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 19, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

schwzr
schwzr approved these changes Apr 20, 2026
View reviewed changes
Comment thread .github/dependabot.yml
ignore:
- dependency-name: "azul/zulu-openjdk"
versions:
- "26-jre-headless"
Copy link
Copy Markdown
Member

@schwzr schwzr Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe replace with

    ignore:
      - dependency-name: "azul/zulu-openjdk"
        update-types: ["version-update:semver-major"]

to also exclude JRE 27, ...?

Copy link
Copy Markdown
Member Author

@hhund hhund Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that using an update-types config will work here, as xx-jre-headless does not match the semver patter x.y.z.

@hhund hhund merged commit e908aae into main Apr 20, 2026
52 of 56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schwzr schwzr schwzr approved these changes

Assignees

@hhund hhund

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hhund @github-advanced-security @schwzr