Skip to content

chore: add .cve-fix/examples.md guidance for CVE fixer workflow #2780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
theakshaypant wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: add .cve-fix/examples.md guidance for CVE fixer workflow #2780

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions .cve-fix/examples.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
<!-- last-analyzed: 2026-06-12 | cve-merged: 16 -->

## Titles

- `fix(security): backport <version> fixes to <release-branch>` (security code fixes, 3/16 PRs)
- `[release-v0.42.2] fix(deps): update <package> to fix <GHSA-ID>` (GHSA dep bumps, 2/16 PRs)
- `chore(deps): bump <module> from <old> to <new>` (dependabot-style dep bumps, 8/16 PRs)
- Prefix `[DNM]` for work-in-progress backport PRs not yet ready to merge

## Branches

- Security code fixes: `security-<short-description>-<release-branch-hyphenated>` (e.g. `security-header-hijacking-v0-42-x`)
- Manual dep bumps: `deps/<package>` or `update-<package>-security-fix` (e.g. `deps/go-jose`, `update-go-jose-security-fix`)
- Backport per release branch: one branch per release stream (e.g. `deps/go-jose-v0.42`)

## Files

- Go dependency CVEs: `go.mod`, `go.sum` (always together)
- GitHub App token / host-header security: `pkg/provider/github/app/token.go`, `pkg/provider/github/github.go`, `pkg/provider/github/parse_payload.go`
- Webhook security: `pkg/adapter/incoming.go`, `pkg/adapter/sinker.go`
- Remote task resolution: `pkg/resolve/remote.go`
- Tests always accompany code changes: `pkg/adapter/incoming_test.go`, `pkg/provider/github/app/token_test.go`, `pkg/resolve/remote_test.go`

## Co-upgrades

- When bumping `go-jose/v3`, also bump `go-jose/v4` (and vice versa) β€” both must be at fixed versions together (12/16 dep PRs)
- Security backports to older release branches: also update `go-jose/v3`, `go-jose/v4`, and `tektoncd/pipeline` on that branch

## PR Description

Use the repo's standard template sections (in order):

```markdown
## πŸ“ Description of the Change
<what changed and why β€” include bullet points for each security hardening>

### How this backport was done
<step-by-step: which branch, API differences resolved, dependency bumps, GOTOOLCHAIN pinning>

### Commits
| Commit | Description |
|--------|-------------|
| `<sha>` | `<conventional commit message>` |

## πŸ‘¨πŸ»β€ Linked Jira
<Jira ticket or N/A>

## πŸ”— Linked GitHub Issue
Fixes #<issue> (or N/A)

## πŸ§ͺ Testing Strategy
- [x] Unit tests
- [ ] Integration tests
- [ ] End-to-end tests
- [ ] Manual testing
- [ ] Not Applicable

Validation run locally:
- `make test`
- `make lint-go`
- `go test ./pkg/adapter` (for adapter/webhook changes)

## πŸ€– AI Assistance
<note if AI was used>
```

## Don'ts

- ❌ Do not combine multiple release-branch backports in one PR β€” one PR per release branch
- ❌ Do not skip `go.sum` when updating `go.mod` β€” always commit both together
- ❌ Do not bump `go-jose/v3` without also bumping `go-jose/v4` in the same PR
- ❌ Do not use `GOTOOLCHAIN=local` β€” pin `GOTOOLCHAIN` to the exact Go version in the branch's `go.mod` (e.g. `GOTOOLCHAIN=go1.24.2`)