From a1be6f27dafb2e221abaa24dc747fcd2997c6b01 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 04:17:42 +0000 Subject: [PATCH 1/5] Initial plan From 56e5812510a6eeebcb89cb1f0b040a6b03e5f69a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 04:22:09 +0000 Subject: [PATCH 2/5] Plan: Update security-guard to only run on ready PRs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/aw/actions-lock.json | 4 ++-- .github/workflows/release.lock.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 11344e2bc6..fe8d5f183c 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -65,7 +65,7 @@ "version": "v8.0.0", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "actions/setup-dotnet@v4": { + "actions/setup-dotnet@v4.3.1": { "repo": "actions/setup-dotnet", "version": "v4.3.1", "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9" @@ -80,7 +80,7 @@ "version": "v6.1.0", "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c" }, - "actions/setup-java@v4": { + "actions/setup-java@v4.8.0": { "repo": "actions/setup-java", "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9" diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index cb56201092..923c9030bd 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1359,13 +1359,13 @@ jobs: - name: Download Go modules run: go mod download - name: Generate SBOM (SPDX format) - uses: anchore/sbom-action@62ad5284b8ced813296287a0b63906cb364b73ee # v0 + uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0 with: artifact-name: sbom.spdx.json format: spdx-json output-file: sbom.spdx.json - name: Generate SBOM (CycloneDX format) - uses: anchore/sbom-action@62ad5284b8ced813296287a0b63906cb364b73ee # v0 + uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0 with: artifact-name: sbom.cdx.json format: cyclonedx-json @@ -1399,7 +1399,7 @@ jobs: - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io From 9dcf06a04148b29d7d6f097104b66ec36ca250ab Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 04:23:47 +0000 Subject: [PATCH 3/5] Update security-guard to only run on ready PRs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/security-guard.lock.yml | 7 +++++-- .github/workflows/security-guard.md | 3 ++- pkg/workflow/data/action_pins.json | 4 ++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index 12b5db29c9..c001c8a51e 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -28,6 +28,7 @@ name: "Security Guard Agent 🛡️" - opened - synchronize - reopened + - ready_for_review permissions: {} @@ -41,7 +42,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) + (needs.pre_activation.outputs.activated == 'true') && ((${{ !github.event.pull_request.draft }}) && ((github.event_name != 'pull_request') || + (github.event.pull_request.head.repo.id == github.repository_id))) runs-on: ubuntu-slim permissions: contents: read @@ -1176,7 +1178,8 @@ jobs: if-no-files-found: ignore pre_activation: - if: (github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id) + if: > + (${{ !github.event.pull_request.draft }}) && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/security-guard.md b/.github/workflows/security-guard.md index 29d9f1d2fa..e889561f80 100644 --- a/.github/workflows/security-guard.md +++ b/.github/workflows/security-guard.md @@ -2,7 +2,8 @@ description: Automated security guard that reviews every PR for changes that could weaken security posture, only commenting when concrete evidence of security concerns exists on: pull_request: - types: [opened, synchronize, reopened] + types: [opened, synchronize, reopened, ready_for_review] +if: ${{ !github.event.pull_request.draft }} permissions: contents: read pull-requests: read diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index 11344e2bc6..fe8d5f183c 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -65,7 +65,7 @@ "version": "v8.0.0", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "actions/setup-dotnet@v4": { + "actions/setup-dotnet@v4.3.1": { "repo": "actions/setup-dotnet", "version": "v4.3.1", "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9" @@ -80,7 +80,7 @@ "version": "v6.1.0", "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c" }, - "actions/setup-java@v4": { + "actions/setup-java@v4.8.0": { "repo": "actions/setup-java", "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9" From 7fabb5b9cdbc6f2a9f42adb523e9d379e99ff9ac Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 04:26:03 +0000 Subject: [PATCH 4/5] Use draft: false field instead of if condition for consistency Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/security-guard.lock.yml | 9 ++++++--- .github/workflows/security-guard.md | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index c001c8a51e..d3aa8eb426 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -24,6 +24,7 @@ name: "Security Guard Agent 🛡️" "on": pull_request: + # draft: false # Draft filtering applied via job conditions types: - opened - synchronize @@ -42,8 +43,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((${{ !github.event.pull_request.draft }}) && ((github.event_name != 'pull_request') || - (github.event.pull_request.head.repo.id == github.repository_id))) + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.draft == false)) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id))) runs-on: ubuntu-slim permissions: contents: read @@ -1179,7 +1180,9 @@ jobs: pre_activation: if: > - (${{ !github.event.pull_request.draft }}) && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) + ((github.event_name != 'pull_request') || (github.event.pull_request.draft == false)) && + ((github.event_name != 'pull_request') || + (github.event.pull_request.head.repo.id == github.repository_id)) runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/security-guard.md b/.github/workflows/security-guard.md index e889561f80..10f71769ac 100644 --- a/.github/workflows/security-guard.md +++ b/.github/workflows/security-guard.md @@ -3,7 +3,7 @@ description: Automated security guard that reviews every PR for changes that cou on: pull_request: types: [opened, synchronize, reopened, ready_for_review] -if: ${{ !github.event.pull_request.draft }} + draft: false permissions: contents: read pull-requests: read From 2ae39f660f82c164913d9effa52a11185ffc0644 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 04:33:59 +0000 Subject: [PATCH 5/5] Remove opened, synchronize, reopened events per review feedback Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/security-guard.lock.yml | 3 --- .github/workflows/security-guard.md | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index d3aa8eb426..a3672acfc1 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -26,9 +26,6 @@ name: "Security Guard Agent 🛡️" pull_request: # draft: false # Draft filtering applied via job conditions types: - - opened - - synchronize - - reopened - ready_for_review permissions: {} diff --git a/.github/workflows/security-guard.md b/.github/workflows/security-guard.md index 10f71769ac..93a24f2459 100644 --- a/.github/workflows/security-guard.md +++ b/.github/workflows/security-guard.md @@ -2,7 +2,7 @@ description: Automated security guard that reviews every PR for changes that could weaken security posture, only commenting when concrete evidence of security concerns exists on: pull_request: - types: [opened, synchronize, reopened, ready_for_review] + types: [ready_for_review] draft: false permissions: contents: read