Skip to content

ci: add centralized vuln remediation workflow#15

Open
ulziibay-kernel wants to merge 1 commit intomainfrom
security/vuln-remediation-reusable
Open

ci: add centralized vuln remediation workflow#15
ulziibay-kernel wants to merge 1 commit intomainfrom
security/vuln-remediation-reusable

Conversation

@ulziibay-kernel
Copy link
Copy Markdown

@ulziibay-kernel ulziibay-kernel commented May 4, 2026
edited by cursor Bot
Loading

Thin caller to the reusable 3-stage pipeline (triage → fix → PR) in kernel/security-workflows.

Made with Cursor

Note

Low Risk
Low risk: adds a scheduled/manual GitHub Actions workflow plus a simple socket.yml version file, without changing application/runtime logic.

Overview
Adds a new GitHub Actions workflow (.github/workflows/vuln-remediation.yml) that runs on a weekly cron and via manual dispatch to invoke the centralized kernel/security-workflows vulnerability remediation pipeline, with permissions to create PRs and write contents.

Introduces socket.yml with version: 2 to enable Socket security tooling configuration.

Reviewed by Cursor Bugbot for commit a3a7c5a. Bugbot is set up for automated code reviews on this repo. Configure here.

@ulziibay-kernel @cursoragent
ci: add centralized vuln remediation workflow
a3a7c5a 
Co-authored-by: Cursor <cursoragent@cursor.com>
@firetiger-agent
Copy link
Copy Markdown

firetiger-agent Bot commented May 4, 2026

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR modifies CI/vulnerability workflow configuration, not kernel API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

cursor[bot]
cursor Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit a3a7c5a. Configure here.

Comment thread .github/workflows/vuln-remediation.yml
remediate:
uses: kernel/security-workflows/.github/workflows/vuln-remediation.yml@main
with:
setup-bun: true
Copy link
Copy Markdown

@cursor cursor Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong package manager configured in remediation workflow

High Severity

The setup-bun: true input is passed to the reusable workflow, but this project uses pnpm as its package manager everywhere — package.json declares "packageManager": "pnpm@10.30.1", all CI jobs in ci.yml set up pnpm via pnpm/action-setup@v4, and the repo contains a pnpm-lock.yaml. The remediation workflow will likely install dependencies with the wrong tool, producing incorrect fixes or failing entirely.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit a3a7c5a. Configure here.

@ulziibay-kernel ulziibay-kernel requested a review from Sayan- May 4, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Sayan- Sayan- Awaiting requested review from Sayan-

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulziibay-kernel