Conversation
There was a problem hiding this comment.
Pull request overview
Routine QC/tooling migration PR that updates the repo’s security/quality tooling configuration and aligns GitHub Actions workflows/devcontainer with the new baseline.
Changes:
- Replace Trivy ignore/config with Grype + add local pre-commit scanning support.
- Update GitHub Actions workflows to newer
eps-common-workflowsSHAs, add CODEOWNERS protection for workflow changes, and adjust workflow security settings. - Bump devcontainer image version and add supporting config (zizmor + gitignore).
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yml |
Adds zizmor rule ignore configuration. |
.pre-commit-config.yaml |
Adds a local grype-scan-local pre-commit hook. |
.grype.yaml |
Adds Grype vulnerability ignore configuration. |
.gitignore |
Ignores generated SBOM directory. |
.github/workflows/sync_copilot.yml |
Updates workflow default permissions configuration. |
.github/workflows/ci.yml |
Updates reusable workflow SHAs and sets workflow permissions. |
.github/workflows/release.yml |
Updates reusable workflow SHAs and sets workflow permissions. |
.github/workflows/pull_request.yml |
Updates reusable workflow SHAs and sets workflow permissions. |
.github/workflows/package_npm_code.yml |
Sets workflow permissions and adjusts checkout behavior. |
.github/CODEOWNERS |
Requires EPS admins to review workflow changes. |
.devcontainer/devcontainer.json |
Bumps devcontainer image version. |
trivy.yaml |
Removed as part of the move away from Trivy config. |
.trivyignore.yaml |
Removed Trivy vulnerability ignore list. |
| package_npm_code: | ||
| needs: [quality_checks, get_config_values] | ||
| uses: ./.github/workflows/package_npm_code.yml |
There was a problem hiding this comment.
The get_issue_number job earlier in this workflow does not appear to be used by any downstream job (no needs.get_issue_number.outputs.issue_number references). If it’s no longer needed, remove it to avoid extra workflow runtime/maintenance; otherwise wire its output into the jobs that require it.
.github/workflows/pull_request.yml
Outdated
| @@ -56,7 +67,6 @@ jobs: | |||
| } | |||
There was a problem hiding this comment.
This fallback assumes listPullRequestsAssociatedWithCommit(...).data[0] always exists; if no PR is associated with the commit, this will throw. Since this workflow only runs on pull_request, context.issue.number should already be present—consider removing the fallback branch entirely (or guard against an empty .data result if you intend this script to be reusable for other events).
| - vulnerability: GHSA-c2c7-rcm5-vvqj | ||
| # flatted | ||
| - vulnerability: GHSA-rf6f-7fwh-wjgh | ||
| # minimatch | ||
| - vulnerability: GHSA-3ppc-4f35-3m26 | ||
| - vulnerability: GHSA-7r86-cg39-jmmj | ||
| - vulnerability: GHSA-23c5-xmqv-rm74 | ||
| - vulnerability: GHSA-25h7-pfq9-p65f |
There was a problem hiding this comment.
.grype.yaml adds vulnerability ignores without any justification or expiry, which makes these suppressions effectively permanent. Consider adding reason and until fields per ignore entry (similar to how the removed Trivy ignore file recorded a statement/expiry) so accepted risks are time-bounded and auditable.
| - vulnerability: GHSA-c2c7-rcm5-vvqj | |
| # flatted | |
| - vulnerability: GHSA-rf6f-7fwh-wjgh | |
| # minimatch | |
| - vulnerability: GHSA-3ppc-4f35-3m26 | |
| - vulnerability: GHSA-7r86-cg39-jmmj | |
| - vulnerability: GHSA-23c5-xmqv-rm74 | |
| - vulnerability: GHSA-25h7-pfq9-p65f | |
| - vulnerability: GHSA-c2c7-rcm5-vvqj | |
| reason: "Temporary risk acceptance for a transitive dependency; review and remove once a fixed version is available and adopted." | |
| until: "2025-12-31" | |
| # flatted | |
| - vulnerability: GHSA-rf6f-7fwh-wjgh | |
| reason: "Temporary risk acceptance for a transitive dependency; review and remove once a fixed version is available and adopted." | |
| until: "2025-12-31" | |
| # minimatch | |
| - vulnerability: GHSA-3ppc-4f35-3m26 | |
| reason: "Temporary risk acceptance for a transitive dependency; review and remove once a fixed version is available and adopted." | |
| until: "2025-12-31" | |
| - vulnerability: GHSA-7r86-cg39-jmmj | |
| reason: "Temporary risk acceptance for a transitive dependency; review and remove once a fixed version is available and adopted." | |
| until: "2025-12-31" | |
| - vulnerability: GHSA-23c5-xmqv-rm74 | |
| reason: "Temporary risk acceptance for a transitive dependency; review and remove once a fixed version is available and adopted." | |
| until: "2025-12-31" | |
| - vulnerability: GHSA-25h7-pfq9-p65f | |
| reason: "Temporary risk acceptance for a transitive dependency; review and remove once a fixed version is available and adopted." | |
| until: "2025-12-31" |
|
|
||
| install-node: | ||
| npm ci | ||
| npm ci --ignore-scripts true |
There was a problem hiding this comment.
npm ci --ignore-scripts true passes an extra positional argument (true) to npm ci, which can cause the command to fail or behave unexpectedly. Use the boolean flag form (npm ci --ignore-scripts) or the explicit assignment form (--ignore-scripts=true) so the install reliably runs with scripts disabled.
| npm ci --ignore-scripts true | |
| npm ci --ignore-scripts |
| @@ -0,0 +1,2 @@ | |||
| # restrict access to approving workflow changes | |||
There was a problem hiding this comment.
The comment says this file will “restrict access” to workflow changes, but CODEOWNERS only enforces review ownership (when branch protection requires code owner review); it doesn’t restrict who can push changes. Consider rewording this to avoid implying access control is being applied.
| # restrict access to approving workflow changes | |
| # require review from eps-admins for workflow changes |
|
Summary
Details