Skip to content

ci: add centralized vuln remediation workflow#106

Open
ulziibay-kernel wants to merge 1 commit intomainfrom
security/vuln-remediation-reusable
Open

ci: add centralized vuln remediation workflow#106
ulziibay-kernel wants to merge 1 commit intomainfrom
security/vuln-remediation-reusable

Conversation

@ulziibay-kernel
Copy link
Copy Markdown

@ulziibay-kernel ulziibay-kernel commented May 4, 2026
edited by cursor Bot
Loading

Thin caller to the reusable 3-stage pipeline (triage → fix → PR) in kernel/security-workflows.

Made with Cursor

Note

Low Risk
Low risk because this only adds CI configuration for a scheduled/manual GitHub Action and a socket.yml version pin; it doesn’t change runtime application code.

Overview
Adds a scheduled and manually triggerable Vulnerability Remediation GitHub Actions workflow that delegates to the reusable kernel/security-workflows pipeline with permissions to push fixes and open PRs.

Introduces socket.yml with version: 2.

Reviewed by Cursor Bugbot for commit cfcca41. Bugbot is set up for automated code reviews on this repo. Configure here.

@ulziibay-kernel @cursoragent
ci: add centralized vuln remediation workflow
cfcca41 
Co-authored-by: Cursor <cursoragent@cursor.com>
@firetiger-agent
Copy link
Copy Markdown

firetiger-agent Bot commented May 4, 2026

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR only adds a CI workflow caller and does not modify API endpoints (packages/api/cmd/api/) or Temporal workflows (packages/api/lib/temporal).

To monitor this PR anyway, reply with @firetiger monitor this.

cursor[bot]
cursor Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit cfcca41. Configure here.

Comment thread .github/workflows/vuln-remediation.yml
remediate:
uses: kernel/security-workflows/.github/workflows/vuln-remediation.yml@main
with:
setup-bun: true
Copy link
Copy Markdown

@cursor cursor Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workflow configures bun but project uses yarn

Medium Severity

The setup-bun: true input is passed to the reusable workflow, but this project uses yarn as its package manager (as declared by packageManager: "yarn@1.22.22" in package.json, the presence of yarn.lock, and all existing CI workflows using actions/setup-node). This mismatch could cause the remediation pipeline to install dependencies with the wrong package manager, leading to incorrect lockfile updates or failed runs.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit cfcca41. Configure here.

@ulziibay-kernel ulziibay-kernel requested a review from Sayan- May 4, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Sayan- Sayan- Awaiting requested review from Sayan-

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulziibay-kernel