Skip to content

Fix security workflows: CodeQL autobuild + pin scorecard-action#4

Merged
ErenAri merged 1 commit into
mainfrom
fix-security-workflows
Jun 14, 2026
Merged

Fix security workflows: CodeQL autobuild + pin scorecard-action#4
ErenAri merged 1 commit into
mainfrom
fix-security-workflows

Conversation

@ErenAri

@ErenAri ErenAri commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

First on-main runs of the Layer 4 workflows failed for two fixable reasons:

  • CodeQL: Go does not support the none build mode. Switched to build-mode: autobuild (runs go build, no C/libbpf toolchain needed) and pinned Go 1.25.11 to match CI.
  • Scorecard: ossf/scorecard-action@v2 no longer resolves. Pinned to v2.4.3 and added actions: read so the token-permission/pinning checks evaluate instead of degrading.

🤖 Generated with Claude Code

- CodeQL: Go does not support build-mode none; switch to autobuild (+ pin Go
  1.25.11 to match CI). go build needs no C/libbpf toolchain.
- Scorecard: ossf/scorecard-action@v2 no longer resolves; pin to v2.4.3 and
  add actions: read so the token-permission/pinning checks evaluate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@ErenAri ErenAri merged commit 28ffdd4 into main Jun 14, 2026
6 checks passed
@ErenAri ErenAri deleted the fix-security-workflows branch June 14, 2026 13:01
ErenAri added a commit that referenced this pull request Jun 20, 2026
#4 of the production-readiness track. A systemd timer probes /api/health every
2 minutes and restarts bpfcompat-serve if it is unhealthy after retries
(optional webhook alert) — catching "process up but API hung", which plain
Restart=on-failure misses. Runbook gains a Monitoring section covering this
watchdog plus the external-monitor setup (the real safety net for box-down).

- scripts/healthcheck.sh (configurable URL/unit/retries/webhook)
- packaging/systemd/bpfcompat-healthcheck.{service,timer}
- docs/hetzner-runbook.md: section 6 (uptime monitoring, both layers)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants