refactor: change CVE enhancement to post-merge workflow

Changed the CVE enhancement workflow to run after PRs are merged to main, similar to other automation workflows (template-sign, checksum, etc). Benefits: - No permission issues with fork PRs - Cleaner workflow logic - Consistent with existing automation patterns - Works for all PRs regardless of source The workflow now: - Triggers on push to main when CVE files change - Detects changed CVE files from the last commit - Enhances them with impact/remediation fields - Commits changes back to main
2026-01-31 15:53:33 +08:00 · 2025-12-16 14:57:46 +05:30
parent 4e41dde1fd
commit ed562e5c00
1 changed files with 11 additions and 25 deletions
--- a/.github/workflows/cve-enhancement.yml
+++ b/.github/workflows/cve-enhancement.yml
@@ -1,9 +1,12 @@
 name: 🔧 CVE Enhancement

 on:
-  pull_request:
+  push:
+    branches:
+      - main
    paths:
      - '**/cves/**/*.yaml'
+  workflow_dispatch:

 jobs:
  enhance:
@@ -15,7 +18,6 @@ jobs:
    steps:
      - uses: actions/checkout@v4
        with:
-          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0

      - name: Setup Python
@@ -29,11 +31,13 @@ jobs:
      - name: Get changed CVE files
        id: files
        run: |
-          git fetch origin ${{ github.event.pull_request.base.ref }}
-          FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep 'cves/.*\.yaml$' || echo "")
+          # Get files changed in the last commit
+          FILES=$(git diff --name-only HEAD~1 HEAD | grep 'cves/.*\.yaml$' || echo "")
          if [ -n "$FILES" ]; then
            echo "changed=true" >> $GITHUB_OUTPUT
            echo "$FILES" > /tmp/cve_files.txt
+            echo "Changed CVE files:"
+            cat /tmp/cve_files.txt
          else
            echo "changed=false" >> $GITHUB_OUTPUT
          fi
@@ -41,36 +45,18 @@ jobs:
      - name: Enhance CVE templates
        if: steps.files.outputs.changed == 'true'
        run: |
-          # Fetch enhancement script from base branch if not present in PR branch
-          if [ ! -f ".github/scripts/enhance-cve-fields.py" ]; then
-            echo "Enhancement script not found in PR branch, fetching from base branch..."
-            git fetch origin ${{ github.event.pull_request.base.ref }}
-            git checkout origin/${{ github.event.pull_request.base.ref }} -- .github/scripts/enhance-cve-fields.py
-          fi
          while read file; do
            [ -f "$file" ] && python .github/scripts/enhance-cve-fields.py "$file"
          done < /tmp/cve_files.txt

      - name: Commit changes
-        if: steps.files.outputs.changed == 'true' && github.event.pull_request.head.repo.full_name == github.repository
+        if: steps.files.outputs.changed == 'true'
        run: |
          if ! git diff --quiet; then
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add -A
            git commit -m "chore: add impact and remediation fields 🤖"
-            git push origin HEAD:${{ github.event.pull_request.head.ref }}
-          fi
-
-      - name: Check for unapplied changes (fork PRs)
-        if: steps.files.outputs.changed == 'true' && github.event.pull_request.head.repo.full_name != github.repository
-        run: |
-          if ! git diff --quiet; then
-            echo "⚠️ This PR is from a fork. The CVE enhancement script generated changes that need to be applied manually."
-            echo "Please run the following command locally and push to your branch:"
-            echo ""
-            echo "  python .github/scripts/enhance-cve-fields.py <your-cve-file.yaml>"
-            echo ""
-            git diff
-            exit 1
+            git pull origin $GITHUB_REF --rebase
+            git push origin $GITHUB_REF
          fi