CI: Run vulnerability check job on default branch only (!6799) · Merge requests · GitLab.org / gitaly

Quang-Minh Nguyen requested to merge qmnguyen0711/run-vulnerability-scan-in-master-only into master Apr 04, 2024

On CI, we have a job to scan for the project's vulnerabilities. It uses a govulncheck scanner from an up-to-date external database. When a CVE is introduced, that job fails and blocks all MRs and merges trains.

Most of the time, a CVE is resolved by upgrading the upstream image's Go version. There is nothing we can do about it in Gitaly. It does not make sense to block the process until then. It still makes sense to run it on the default branch to avoid introducing new vulnerabilities.

This MR lets that job run on the default branch only and manually on MRs and merge trains.

Click to expand

Edited Apr 04, 2024 by Quang-Minh Nguyen

CI: Run vulnerability check job on default branch only

Merge request reports