Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 11 additions & 8 deletions .github/workflows/fix-vulnerabilities.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@
branch="remediate-vulnerabilities-${{ needs.gather_facts.outputs.branch }}"
echo "branch=${branch}" >> $GITHUB_OUTPUT
git checkout -b "${branch}"
git pull origin "${branch}" || true

- name: Run nancy-fixer fix
uses: docker://gsoci.azurecr.io/giantswarm/nancy-fixer:0.10.1
Expand Down Expand Up @@ -124,16 +123,20 @@
env:
remote_repo: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
run: |
git push "${remote_repo}" HEAD:"${{ steps.create_branch.outputs.branch }}"
git push --force "${remote_repo}" HEAD:"${{ steps.create_branch.outputs.branch }}"

Check notice

Code scanning / zizmor

code injection via template expansion: may expand into attacker-controllable code Note

code injection via template expansion: may expand into attacker-controllable code
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed

- name: Create pull request
env:
GITHUB_TOKEN: "${{ steps.generate_token.outputs.token }}"
if: "${{ steps.commit_changes.outputs.skip != 'true' }}"
run: |
gh pr create \
--title "fix(nancy): remediate findings on ${{ needs.gather_facts.outputs.branch }}" \
--body "Fix Nancy findings on branch ${{ needs.gather_facts.outputs.branch }}" \
--head "${{ steps.create_branch.outputs.branch }}" \
--base "${{ needs.gather_facts.outputs.branch }}"
gh pr merge --auto --squash
branch="${{ steps.create_branch.outputs.branch }}"

Check notice

Code scanning / zizmor

code injection via template expansion: may expand into attacker-controllable code Note

code injection via template expansion: may expand into attacker-controllable code
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
base="${{ needs.gather_facts.outputs.branch }}"

Check notice

Code scanning / zizmor

code injection via template expansion: may expand into attacker-controllable code Note

code injection via template expansion: may expand into attacker-controllable code
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
if [ -z "$(gh pr list --head "${branch}" --state open --json number --jq '.[0].number')" ]; then
gh pr create \
--title "fix(nancy): remediate findings on ${base}" \
--body "Fix Nancy findings on branch ${base}" \
--head "${branch}" \
--base "${base}"
fi
gh pr merge --auto --squash "${branch}"
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
however this project does not use Semantic Versioning and there are no releases.
Instead this file uses a date-based structure.

## 2026-07-07

### Fixed

- `fix-vulnerabilities.yaml` — the nancy remediation job no longer fails to push when a previous run's PR is still open. The stable, regenerated `remediate-vulnerabilities-<base>` branch had divergent history, so the plain push was rejected. Dropped the silently-failing `git pull`, switched to `git push --force`, and made `gh pr create` idempotent.

## 2026-07-06

### Fixed
Expand Down