From a6a8f9f83a4054953b8ad181915c79bbffb903a2 Mon Sep 17 00:00:00 2001
From: Miguel Prieto <miguel.prieto@orkes.io>
Date: Mon, 11 May 2026 12:35:14 -0300
Subject: [PATCH] ci: skip examples/ in OSV scans

examples/ pins old dependency versions (jackson 2.17.1, etc.) and was
producing ~793 vulnerability hits, all from those example pom.xml files,
which blocked the scheduled scan and would block PR scans too. None of
the published modules are affected.

Override scan-args on both the PR and scheduled workflows to enumerate
the published modules explicitly and skip examples/. Restore examples
once they are bumped to the same dependency versions as the production
modules.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/osv-scanner-scheduled.yml | 16 ++++++++++++++++
 .github/workflows/osv-scanner.yml           | 16 ++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
index 5bcf06d6c..ec3365cac 100644
--- a/.github/workflows/osv-scanner-scheduled.yml
+++ b/.github/workflows/osv-scanner-scheduled.yml
@@ -14,3 +14,19 @@ permissions:
 jobs:
   scan-scheduled:
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.3"
+    with:
+      # Scan only the published modules. examples/ pins old dependency versions and
+      # is excluded for now to keep the scan green. Add it back once examples are
+      # bumped to the same versions as the production modules.
+      scan-args: |-
+        -r
+        buildSrc
+        conductor-client
+        conductor-client-metrics
+        conductor-client-spring
+        conductor-client-spring-boot4
+        harness
+        java-sdk
+        orkes-client
+        orkes-spring
+        tests
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index def5bb9da..978d5eaae 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -18,3 +18,19 @@ concurrency:
 jobs:
   scan-pr:
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.3"
+    with:
+      # Scan only the published modules. examples/ pins old dependency versions and
+      # is excluded for now to keep the scan green. Add it back once examples are
+      # bumped to the same versions as the production modules.
+      scan-args: |-
+        -r
+        buildSrc
+        conductor-client
+        conductor-client-metrics
+        conductor-client-spring
+        conductor-client-spring-boot4
+        harness
+        java-sdk
+        orkes-client
+        orkes-spring
+        tests