From b93027640fa64308e3b6188ab030d9b640caf7d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sat, 18 Apr 2026 14:19:10 +0000
Subject: [PATCH] chore: vuln workflow: use opus, no persist creds, conditional
 upload

---
 .github/workflows/vuln-scan.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/vuln-scan.yml b/.github/workflows/vuln-scan.yml
index c95a790..9a9e8fe 100644
--- a/.github/workflows/vuln-scan.yml
+++ b/.github/workflows/vuln-scan.yml
@@ -1,4 +1,4 @@
-name: Daily transient-execution vulnerability scan
+name: Online search for vulns
 
 on:
   schedule:
@@ -8,7 +8,7 @@ on:
 permissions:
   contents: read
   actions: read           # needed to list/download previous run artifacts
-  id-token: write
+  id-token: write         # needed to mint OIDC token
 
 concurrency:
   group: vuln-scan
@@ -24,6 +24,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       # ---- Load previous state ---------------------------------------------
       # Find the most recent successful run of THIS workflow (other than the
@@ -68,24 +69,23 @@ jobs:
           echo "State size: $(wc -c < state/seen.json) bytes"
 
       # ---- Run the scan ----------------------------------------------------
-      # Runs Claude Code (Opus) against daily_vuln_scan_prompt.md.
+      # Runs Claude Code against daily_vuln_scan_prompt.md.
       # That prompt file fully specifies: sources to poll, how to read
       # state/seen.json, the 25-hour window, the output files to write,
       # and how to rewrite state/seen.json at the end of the run.
-      - name: Run vulnerability scan with Claude Opus
+      - name: Research for online mentions of new vulns
         uses: anthropics/claude-code-action@v1
         env:
           SCAN_DATE: ${{ github.run_started_at }}
         with:
-          model: claude-opus-4-7
           claude_args: |
-            --model claude-sonnet-4-6 --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
+            --model claude-opus-4-7 --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
           prompt: |
             Read the full task instructions from .github/workflows/daily_vuln_scan_prompt.md and execute them end-to-end. That file fully specifies: sources to poll, how to read and update state/seen.json, the 25-hour window, which rss_YYYY-MM-DD_*.md files to write, and the run guardrails. Use $SCAN_DATE (env var) as "now" for time-window decisions.
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
       - name: Upload Claude execution log
-        if: always()         # keep the log even if the scan step failed
+        if: ${{ always() && steps.scan.outputs.execution_file != '' }}
         uses: actions/upload-artifact@v4
         with:
           name: claude-execution-log-${{ github.run_id }}