OneSizeFitsQuorum opened a new pull request, #16995:
URL: https://github.com/apache/iotdb/pull/16995
## Description
Backports improvements to the weekly CVE scanning workflow that were
validated through Apache Ratis PR #1328 community review process.
### Workflow Simplification
- **Removed matrix strategy**: Single runner (ubuntu-latest, JDK 17) instead
of matrix configuration
- **Removed Maven cache**: Cache ineffective for weekly scheduled jobs
- **Consolidated dependency checks**: `aggregate` step subsumes `check` step
### Enhanced Configuration
- **Added conditional execution**: Prevents forks from running scheduled
scans (`github.repository == 'apache/iotdb'`)
- **Added NVD API key support**: `-DnvdApiKey=${{ secrets.NVD_API_KEY }}`
parameter for improved CVE data access
- **Consistent Maven args**: `$MAVEN_ARGS` variable usage across commands
### Improved Clarity
- **Renamed `DATE_EAST_ASIA` → `REPORT_DATE`**: Clearer semantic meaning
- **Simplified artifact naming**: Removed redundant `${{ runner.os }}`
component
- **Updated step descriptions**: More precise naming
### Security Hardening
- **Added explicit permissions**: `contents: read` follows principle of
least privilege
<hr>
This PR has:
- [x] been self-reviewed.
- [x] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
<hr>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
