peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-20 07:33:20 +02:00
Code Issues Projects Releases Wiki Activity

chore: vuln workflow: use opus, no persist creds, conditional upload

Browse Source
This commit is contained in:
Stéphane Lesimple
2026-04-18 14:19:10 +00:00
committed by GitHub
parent 5c27284119
commit b93027640f
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/vuln-scan.yml vendored
View File

@@ -1,4 +1,4 @@
name: Daily transient-execution vulnerability scan name: Online search for vulns
on: on:
schedule: schedule:
@@ -8,7 +8,7 @@ on:
permissions: permissions:
contents: read contents: read
actions: read # needed to list/download previous run artifacts actions: read # needed to list/download previous run artifacts
id-token: write id-token: write # needed to mint OIDC token
concurrency: concurrency:
group: vuln-scan group: vuln-scan
@@ -24,6 +24,7 @@ jobs:
uses: actions/checkout@v5 uses: actions/checkout@v5
with: with:
fetch-depth: 1 fetch-depth: 1
persist-credentials: false
# ---- Load previous state --------------------------------------------- # ---- Load previous state ---------------------------------------------
# Find the most recent successful run of THIS workflow (other than the # Find the most recent successful run of THIS workflow (other than the
@@ -68,24 +69,23 @@ jobs:
echo "State size: $(wc -c < state/seen.json) bytes" echo "State size: $(wc -c < state/seen.json) bytes"
# ---- Run the scan ---------------------------------------------------- # ---- Run the scan ----------------------------------------------------
# Runs Claude Code (Opus) against daily_vuln_scan_prompt.md. # Runs Claude Code against daily_vuln_scan_prompt.md.
# That prompt file fully specifies: sources to poll, how to read # That prompt file fully specifies: sources to poll, how to read
# state/seen.json, the 25-hour window, the output files to write, # state/seen.json, the 25-hour window, the output files to write,
# and how to rewrite state/seen.json at the end of the run. # and how to rewrite state/seen.json at the end of the run.
- name: Run vulnerability scan with Claude Opus - name: Research for online mentions of new vulns
uses: anthropics/claude-code-action@v1 uses: anthropics/claude-code-action@v1
env: env:
SCAN_DATE: ${{ github.run_started_at }} SCAN_DATE: ${{ github.run_started_at }}
with: with:
model: claude-opus-4-7
claude_args: | claude_args: |
--model claude-sonnet-4-6 --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch" --model claude-opus-4-7 --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
prompt: | prompt: |
Read the full task instructions from .github/workflows/daily_vuln_scan_prompt.md and execute them end-to-end. That file fully specifies: sources to poll, how to read and update state/seen.json, the 25-hour window, which rss_YYYY-MM-DD_*.md files to write, and the run guardrails. Use $SCAN_DATE (env var) as "now" for time-window decisions. Read the full task instructions from .github/workflows/daily_vuln_scan_prompt.md and execute them end-to-end. That file fully specifies: sources to poll, how to read and update state/seen.json, the 25-hour window, which rss_YYYY-MM-DD_*.md files to write, and the run guardrails. Use $SCAN_DATE (env var) as "now" for time-window decisions.
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
- name: Upload Claude execution log - name: Upload Claude execution log
if: always() # keep the log even if the scan step failed if: ${{ always() && steps.scan.outputs.execution_file != '' }}
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with:
name: claude-execution-log-${{ github.run_id }} name: claude-execution-log-${{ github.run_id }}