QVAC-21550 infra: roll out canonical security baseline (TruffleHog + CodeQL) to qvac-ext-stable-diffusion.cpp#17
Merged
Conversation
Review StatusCurrent Status: ❌ PENDING Pending reviews: Needs 1 Management or Team Lead, and 1 more from Management, Team Lead, or Member. |
Security baseline — findings detected
See the job summary and the repository Security tab for details. This comment is updated automatically by the canonical security workflow. |
NamelsKing
previously approved these changes
Jul 2, 2026
Proletter
reviewed
Jul 6, 2026
Proletter
previously approved these changes
Jul 7, 2026
Proletter
approved these changes
Jul 7, 2026
sidj-thr
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎯 What problem does this PR solve?
uses:reference. This PR lands that caller in this Tier-1 native (C/C++) repo.📝 How does it solve it?
.github/workflows/security-baseline.yml, a thin caller that delegates to the canonical reusable workflowtetherto/qvac-actions/.github/workflows/public-reusable-security.yml(TruffleHog secret scan + CodeQL static analysis), authored under QVAC-19055.pull_request,pushto the default branch, andworkflow_dispatch. Plainpull_request(notpull_request_target) — the baseline needs no secrets/privileged context.languages: c-cpp(explicit),severity-threshold: high,codeql-upload: never(this repo uses CodeQL "Default setup"), andcodeql-build-mode: none— buildless C/C++ extraction. This is uniform across all Tier-1 C/C++ callers and robust versus autobuild on native/submodule projects (submodule forks otherwise fail autobuild atadd_subdirectory ... does not contain a CMakeLists.txt file).🧪 How was it tested?
actionlint— clean;yamlfmt -lint -formatter retain_line_breaks_single=true(v0.17.0) — clean.baseline / *checks (TruffleHog + CodeQL c-cpp) verified green withcodeql-build-mode: none.🔐 Action pinning
tetherto/qvac-actions/.github/workflows/public-reusable-security.yml(reusable workflow): pinned tobe1d22629cc48b6dcc36645acc9e6d89cfaf54d8 # 0.2.0— the immutable commit SHA behind the released0.2.0tag (which adds thecodeql-build-modeinput, qvac-actions#10), per the org freeze-and-pin convention.🛡️ Permissions changes
contents: read.baseline— Before: (none) → After:contents: read,security-events: write,pull-requests: write,actions: read.security-events: writefor CodeQL SARIF,pull-requests: writefor the findings summary comment,actions: readfor workflow introspection; everything else stays read-only. No repo secrets are passed (github.tokencovers the write-backs on same-repo runs).Part of the QVAC-21550 Tier-1 rollout (canonical security workflow: QVAC-19055; Tier-1 scope: QVAC-19052).
Drafted by an AI agent via the
qv-devops-pr-createconvention; please review the workflow config before merge.