chore: vuln workflow: use opus, no persist creds, conditional upload

2026-04-20 07:33:20 +02:00 · 2026-04-18 14:19:10 +00:00
parent 5c27284119
commit b93027640f
1 changed files with 7 additions and 7 deletions
--- a/.github/workflows/vuln-scan.yml
+++ b/.github/workflows/vuln-scan.yml
@@ -1,4 +1,4 @@
-name: Daily transient-execution vulnerability scan
+name: Online search for vulns

 on:
  schedule:
@@ -8,7 +8,7 @@ on:
 permissions:
  contents: read
  actions: read           # needed to list/download previous run artifacts
-  id-token: write
+  id-token: write         # needed to mint OIDC token

 concurrency:
  group: vuln-scan
@@ -24,6 +24,7 @@ jobs:
        uses: actions/checkout@v5
        with:
          fetch-depth: 1
+          persist-credentials: false

      # ---- Load previous state ---------------------------------------------
      # Find the most recent successful run of THIS workflow (other than the
@@ -68,24 +69,23 @@ jobs:
          echo "State size: $(wc -c < state/seen.json) bytes"

      # ---- Run the scan ----------------------------------------------------
-      # Runs Claude Code (Opus) against daily_vuln_scan_prompt.md.
+      # Runs Claude Code against daily_vuln_scan_prompt.md.
      # That prompt file fully specifies: sources to poll, how to read
      # state/seen.json, the 25-hour window, the output files to write,
      # and how to rewrite state/seen.json at the end of the run.
-      - name: Run vulnerability scan with Claude Opus
+      - name: Research for online mentions of new vulns
        uses: anthropics/claude-code-action@v1
        env:
          SCAN_DATE: ${{ github.run_started_at }}
        with:
-          model: claude-opus-4-7
          claude_args: |
-            --model claude-sonnet-4-6 --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
+            --model claude-opus-4-7 --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
          prompt: |
            Read the full task instructions from .github/workflows/daily_vuln_scan_prompt.md and execute them end-to-end. That file fully specifies: sources to poll, how to read and update state/seen.json, the 25-hour window, which rss_YYYY-MM-DD_*.md files to write, and the run guardrails. Use $SCAN_DATE (env var) as "now" for time-window decisions.
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

      - name: Upload Claude execution log
-        if: always()         # keep the log even if the scan step failed
+        if: ${{ always() && steps.scan.outputs.execution_file != '' }}
        uses: actions/upload-artifact@v4
        with:
          name: claude-execution-log-${{ github.run_id }}