feat: create new work pools for reimports & cves

deployment/clouddeploy/gke-workers/base/importer-reconciler.yaml

@@ -27,6 +27,8 @@ spec:
                 value: "1.0"
               - name: TRACE_SAMPLE_RATE # for the individual vulnerability entries
                 value: "0.05"
+              - name: REIMPORT_TASK_POOL
+                value: "reimport"
             resources:
               requests:
                 cpu: "1"

deployment/clouddeploy/gke-workers/base/importer.yaml

@@ -30,6 +30,8 @@ spec:
                 value: "1.0"
               - name: TRACE_SAMPLE_RATE # for the individual vulnerability entries
                 value: "0.05"
+              - name: REIMPORT_TASK_POOL
+                value: "reimport"
             resources:
               requests:
                 cpu: "1"

deployment/clouddeploy/gke-workers/base/kustomization.yaml

@@ -1,6 +1,8 @@
 resources:
 - workers.yaml
 - scaler.yaml
+- workers-cves.yaml
+- workers-reimport.yaml
 - importer.yaml
 - importer-deleter.yaml
 - importer-reconciler.yaml

deployment/clouddeploy/gke-workers/base/workers-cves.yaml

@@ -0,0 +1,84 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: pubsub-cves
+spec:
+  minReplicas: 0
+  maxReplicas: 100
+  metrics:
+  - external:
+      metric:
+        name: pubsub.googleapis.com|subscription|num_undelivered_messages
+        selector:
+          matchLabels:
+            resource.labels.subscription_id: cves
+      target:
+        type: AverageValue
+        averageValue: 10  # each worker can handle 10 tasks
+    type: External
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: workers-cves
+  behavior:
+    scaleUp:
+      stabilizationWindowSeconds: 0
+      policies:
+      - type: Percent
+        value: 10
+        periodSeconds: 300
+      - type: Pods
+        value: 20
+        periodSeconds: 300
+      selectPolicy: Max
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workers-cves
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      name: workers-cves
+  template:
+    metadata:
+      labels:
+        name: workers-cves
+    spec:
+      containers:
+      - name: workers-cves
+        image: worker
+        imagePullPolicy: Always
+        env:
+          - name: GITTER_HOST
+            value: http://gitter-service:8888
+          - name: PUBSUB_SUBSCRIPTION
+            value: cves
+          - name: DATASTORE_DATABASE_ID
+            value: "" # default
+          - name: FAILED_TASKS_TOPIC
+            value: failed-tasks
+          - name: NOTIFY_PYPI
+            value: "false"
+        resources:
+          requests:
+            cpu: "0.9"
+            memory: "1.2Gi"
+          limits:
+            cpu: "1.5"
+            memory: "1.3Gi"

deployment/clouddeploy/gke-workers/base/workers-reimport.yaml

@@ -0,0 +1,84 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: pubsub-reimport
+spec:
+  minReplicas: 0
+  maxReplicas: 100
+  metrics:
+  - external:
+      metric:
+        name: pubsub.googleapis.com|subscription|num_undelivered_messages
+        selector:
+          matchLabels:
+            resource.labels.subscription_id: reimport
+      target:
+        type: AverageValue
+        averageValue: 10  # each worker can handle 10 tasks
+    type: External
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: workers-reimport
+  behavior:
+    scaleUp:
+      stabilizationWindowSeconds: 0
+      policies:
+      - type: Percent
+        value: 10
+        periodSeconds: 300
+      - type: Pods
+        value: 20
+        periodSeconds: 300
+      selectPolicy: Max
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workers-reimport
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      name: workers-reimport
+  template:
+    metadata:
+      labels:
+        name: workers-reimport
+    spec:
+      containers:
+      - name: workers-reimport
+        image: worker
+        imagePullPolicy: Always
+        env:
+          - name: GITTER_HOST
+            value: http://gitter-service:8888
+          - name: PUBSUB_SUBSCRIPTION
+            value: reimport
+          - name: DATASTORE_DATABASE_ID
+            value: "" # default
+          - name: FAILED_TASKS_TOPIC
+            value: failed-tasks
+          - name: NOTIFY_PYPI
+            value: "false"
+        resources:
+          requests:
+            cpu: "0.9"
+            memory: "1.2Gi"
+          limits:
+            cpu: "1.5"
+            memory: "1.3Gi"

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/kustomization.yaml

@@ -5,6 +5,8 @@ resources:
 patches:
 - path: workers.yaml
 - path: scaler.yaml
+- path: workers-cves.yaml
+- path: workers-reimport.yaml
 - path: importer.yaml
 - path: importer-deleter.yaml
 - path: importer-reconciler.yaml

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/workers-cves.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workers-cves
+spec:
+  template:
+    spec:
+      tolerations:
+      - key: workloadType
+        operator: Equal
+        value: worker-pool
+      nodeSelector:
+        workloadType: worker-pool
+      containers:
+      - name: workers-cves
+        env:
+          - name: GOOGLE_CLOUD_PROJECT
+            value: oss-vdb-test
+          - name: OSV_VULNERABILITIES_BUCKET
+            value: osv-test-vulnerabilities

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/workers-reimport.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workers-reimport
+spec:
+  template:
+    spec:
+      tolerations:
+      - key: workloadType
+        operator: Equal
+        value: worker-pool
+      nodeSelector:
+        workloadType: worker-pool
+      containers:
+      - name: workers-reimport
+        env:
+          - name: GOOGLE_CLOUD_PROJECT
+            value: oss-vdb-test
+          - name: OSV_VULNERABILITIES_BUCKET
+            value: osv-test-vulnerabilities

deployment/clouddeploy/gke-workers/environments/oss-vdb/kustomization.yaml

@@ -2,6 +2,8 @@ resources:
 - ../../base
 patches:
 - path: workers.yaml
+- path: workers-cves.yaml
+- path: workers-reimport.yaml
 - path: importer.yaml
 - path: importer-deleter.yaml
 - path: importer-reconciler.yaml

deployment/clouddeploy/gke-workers/environments/oss-vdb/workers-cves.yaml

@@ -0,0 +1,14 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workers-cves
+spec:
+  template:
+    spec:
+      containers:
+      - name: workers-cves
+        env:
+          - name: GOOGLE_CLOUD_PROJECT
+            value: oss-vdb
+          - name: OSV_VULNERABILITIES_BUCKET
+            value: osv-vulnerabilities

deployment/clouddeploy/gke-workers/environments/oss-vdb/workers-reimport.yaml

@@ -0,0 +1,16 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workers-reimport
+spec:
+  template:
+    spec:
+      containers:
+      - name: workers-reimport
+        env:
+          - name: GOOGLE_CLOUD_PROJECT
+            value: oss-vdb
+          - name: OSV_VULNERABILITIES_BUCKET
+            value: osv-vulnerabilities
+          - name: NOTIFY_PYPI
+            value: "true"

deployment/terraform/environments/oss-vdb-test/main.tf

@@ -46,6 +46,11 @@ module "osv_test" {
   website_domain = "test.osv.dev"
   api_url        = "api.test.osv.dev"
   esp_version    = "2.55.1"
+
+  extra_work_pools = [
+    "reimport",
+    "cves",
+  ]
 }
 
 module "k8s_cron_alert" {

deployment/terraform/environments/oss-vdb/main.tf

@@ -46,6 +46,11 @@ module "osv" {
   website_domain = "osv.dev"
   api_url        = "api.osv.dev"
   esp_version    = "2.55.1"
+
+  extra_work_pools = [
+    "reimport",
+    "cves",
+  ]
 }
 
 module "oss_fuzz" {

deployment/terraform/modules/osv/pubsub_tasks.tf

@@ -41,6 +41,30 @@ resource "google_pubsub_subscription" "default_work" {
   filter = "attributes.work_pool = \"default\""
 }
 
+resource "google_pubsub_subscription" "work_pools" {
+  for_each                   = toset(var.extra_work_pools)
+  project                    = var.project_id
+  name                       = each.value
+  topic                      = google_pubsub_topic.tasks.id
+  message_retention_duration = "604800s"
+  ack_deadline_seconds       = 600
+
+  dead_letter_policy {
+    dead_letter_topic     = google_pubsub_topic.failed_tasks.id
+    max_delivery_attempts = 5
+  }
+
+  expiration_policy {
+    ttl = "" # never expires
+  }
+
+  labels = {
+    goog-dm = "pubsub"
+  }
+
+  filter = "attributes.work_pool = \"${each.value}\""
+}
+
 resource "google_pubsub_topic" "pypi_bridge" {
   project = var.project_id
   name    = "pypi-bridge"

deployment/terraform/modules/osv/variables.tf

@@ -67,3 +67,9 @@ variable "website_domain" {
   type        = string
   description = "Domain to serve the OSV website on. Domain ownership and DNS settings must be manually configured."
 }
+
+variable "extra_work_pools" {
+  type        = list(string)
+  description = "Additional Pub/Sub worker pool subscriptions to create"
+  default     = []
+}

gcp/workers/recoverer/recoverer.py

@@ -137,8 +137,8 @@ def handle_gcs_missing(message: pubsub_v1.types.PubsubMessage) -> bool:
         deleted='false',
         skip_hash_check='true',
         req_timestamp=str(int(time.time())),
-        work_pool='default',
-    )  # TODO(michaelkedar): replace with reimport pool when created
+        work_pool='reimport',
+    )
 
     return True