chore: update pvtr plugin to v0.24.0+2fixes#4314
Conversation
Bumps pvtr-github-repo-scanner from v0.23.2 (c7bd9538) to commit c1095c95, which is post-v0.24.0 and includes two required fixes: - fix(OSPS-BR-07.01): consult Security Insights when security_and_analysis is null - fix(OSPS-LE-02.01): pass deprecated but OSI/FSF-approved SPDX IDs Also updates the plugin build stage to golang:1.26.4-alpine3.22, required by go.mod at the new commit (go 1.26.4). Privateer binary stays at 0.21.2, confirmed compatible by pvtr's own Dockerfile. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
There was a problem hiding this comment.
Pull request overview
This PR bumps the pvtr-github-repo-scanner plugin used by the security_best_practices_worker image from the v0.23.2 pin (commit c7bd9538) to a post-v0.24.0 commit (c1095c95, labeled "v0.24.0+2fixes"), which pulls in two required OSPS bug fixes. The change is isolated to a single build Dockerfile and involves no application code. I verified the change against the upstream scanner repo at the pinned commit: its go.mod declares go 1.26.4 and its own Dockerfile uses golang:1.26.4-alpine3.22 (digest-pinned), so the base-image change and version bump are correct and consistent. No other references to the old version or commit exist elsewhere in the repo.
Changes:
- Bump
PVTR_VERSIONtov0.24.0andPVTR_COMMITtoc1095c95…, updating the accompanying comment to match. - Update the plugin build stage base image from
golang:1.26.3-alpine3.23togolang:1.26.4-alpine3.22(matches upstreamgo 1.26.4requirement).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
…sion Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
2f5a626 to
8ea9d01
Compare
…check Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
services/apps/security_best_practices_worker/src/workflows/triggerSecurityInsightsCheckForRepos.ts:213
- This gate ignores
repoAttemptedTokens. If token A already returnedTokenRepoAccessErrorfor this repo while token B is rate-limited, A keepshasFreeTokentrue, butprocessRepoimmediately excludes A, requeues the repo, and repeats. The workflow then emitsgetCurrentTimeMsactivities in a hot loop and never reaches the defer branch. Select a queued repo only when a token is usable after that repo's exclusions.
* Each task will acquire a token, process the repo, and then release the token.
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
37e0a2e to
1daefa3
Compare
…oken handling Permission 403s don't need their own error type — the child workflow's retry policy (5 attempts) exhausts naturally and the repo defers to the next scheduled run. Introducing TokenRepoAccessError required per-repo attempted-token tracking (repoAttemptedTokens map, sawRateLimit flag, releaseCounter) that added ~60 lines of complexity for a marginal benefit. Core fixes from the AI-generated code are preserved: unwrapApplicationFailure (ChildWorkflowFailure traversal was silently broken), TokenAuthError for 401s, isInvalid token field, rateLimitedAt 1h expiry, hasFreeToken guard, and deferred flag to prevent continueAsNew spin on full rate-limit. Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 6a552da. Configure here.

Summary
Bumps `pvtr-github-repo-scanner` and hardens the security-insights worker's token handling.
Plugin bump
Token error classification (`classifyTokenError`)
Redis-persisted token state (`ITokenInfo`)
Workflow (`triggerSecurityInsightsCheckForRepos`)
No breaking changes