Skip to content

fix(workflow): repair CodeQL run lookup in advisory poller#260

Merged
davida-ps merged 1 commit into
mainfrom
davida-ps/fix-codeql-run-jq-args
Jun 10, 2026
Merged

fix(workflow): repair CodeQL run lookup in advisory poller#260
davida-ps merged 1 commit into
mainfrom
davida-ps/fix-codeql-run-jq-args

Conversation

@davida-ps

@davida-ps davida-ps commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

User description

Summary

  • fix the advisory poller CodeQL wait step by piping gh run list JSON into jq when using jq variables
  • keep the existing head SHA and dispatch-time filtering behavior
  • add a workflow regression assertion so gh --jq is not used with jq CLI flags again

Why

Recent scheduled Poll NVD CVEs runs create/update the automated advisory PR, then fail because gh run list treats --arg as an unknown gh flag. That leaves advisory updates in PR #257 instead of cleanly completing the workflow.

Validation

  • node scripts/test-nvd-ghsa-consolidation-workflow.mjs
  • node scripts/test-ghsa-without-cve-feed.mjs
  • node scripts/test-nvd-ghsa-pipeline-dry-run.mjs
  • git diff --check

Generated description

Below is a concise technical summary of the changes proposed in this PR:
Correct the poll-nvd-cves workflow's CodeQL wait step to pipe gh run list JSON into jq -r --arg filters so dispatch-time and head SHA checks run without passing jq flags to gh. Add regression assertions in the NVD GHSA consolidation tests to ban --jq --arg usage and require the expected jq -r --arg filtering pattern for the CodeQL run lookup.

TopicDetails
CodeQL run lookup Fix the CodeQL run lookup in the poll-nvd-cves workflow by piping the gh run list JSON output through jq -r --arg filters to maintain the existing dispatch-time and head SHA selection without passing jq flags to gh.
Modified files (1)
  • .github/workflows/poll-nvd-cves.yml
Latest Contributors(2)
UserCommitDate
David.a@prompt.securityfix(workflow): filter ...June 09, 2026
david.a@prompt.securityfix(workflow): wait fo...May 27, 2026
Regression assertions Add regression assertions in the NVD GHSA consolidation tests to forbid --jq --arg usage and verify the new jq -r --arg filtering pattern for the CodeQL run lookup.
Modified files (1)
  • scripts/test-nvd-ghsa-consolidation-workflow.mjs
Latest Contributors(2)
UserCommitDate
David.a@prompt.securityfix(workflow): filter ...June 09, 2026
david.a@prompt.securityfeat(advisories): add ...May 24, 2026
Review this PR on Baz | Customize your next review

@davida-ps davida-ps merged commit cb58e58 into main Jun 10, 2026
14 checks passed
@davida-ps davida-ps deleted the davida-ps/fix-codeql-run-jq-args branch June 10, 2026 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant