chore: update pvtr plugin to v0.24.0+2fixes#4314
Conversation
Bumps pvtr-github-repo-scanner from v0.23.2 (c7bd9538) to commit c1095c95, which is post-v0.24.0 and includes two required fixes: - fix(OSPS-BR-07.01): consult Security Insights when security_and_analysis is null - fix(OSPS-LE-02.01): pass deprecated but OSI/FSF-approved SPDX IDs Also updates the plugin build stage to golang:1.26.4-alpine3.22, required by go.mod at the new commit (go 1.26.4). Privateer binary stays at 0.21.2, confirmed compatible by pvtr's own Dockerfile. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
There was a problem hiding this comment.
Pull request overview
This PR bumps the pvtr-github-repo-scanner plugin used by the security_best_practices_worker image from the v0.23.2 pin (commit c7bd9538) to a post-v0.24.0 commit (c1095c95, labeled "v0.24.0+2fixes"), which pulls in two required OSPS bug fixes. The change is isolated to a single build Dockerfile and involves no application code. I verified the change against the upstream scanner repo at the pinned commit: its go.mod declares go 1.26.4 and its own Dockerfile uses golang:1.26.4-alpine3.22 (digest-pinned), so the base-image change and version bump are correct and consistent. No other references to the old version or commit exist elsewhere in the repo.
Changes:
- Bump
PVTR_VERSIONtov0.24.0andPVTR_COMMITtoc1095c95…, updating the accompanying comment to match. - Update the plugin build stage base image from
golang:1.26.3-alpine3.23togolang:1.26.4-alpine3.22(matches upstreamgo 1.26.4requirement).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
pvtr-github-repo-scannercommit fromc7bd9538(v0.23.2) toc1095c95(post-v0.24.0 HEAD)fix(OSPS-BR-07.01)(consult Security Insights whensecurity_and_analysisis null) andfix(OSPS-LE-02.01)(pass deprecated but OSI/FSF-approved SPDX IDs)golang:1.26.3-alpine3.23togolang:1.26.4-alpine3.22— required by go.mod at new commit (go 1.26.4); matches pvtr's own Dockerfile0.21.2(confirmed compatible)No breaking changes
All commits between v0.23.2 and the new HEAD are dependency bumps, CI fixes, and the two bug fixes above.
🤖 Generated with Claude Code
Note
Low Risk
Dependency pin and build-image bump only; no application code changes and the Privateer core version is unchanged.
Overview
Updates the security best practices worker image build so the Privateer
github-repoplugin is pinned to v0.24.0 at commitc1095c95(replacing v0.23.2 /c7bd9538), including post-release fixes for OSPS-BR-07.01 (Security Insights whensecurity_and_analysisis null) and OSPS-LE-02.01 (deprecated OSI/FSF-approved SPDX IDs).The plugin compile stage moves to
golang:1.26.4-alpine3.22to match the scanner’sgo.mod; the Privateer core binary remains 0.21.2.Reviewed by Cursor Bugbot for commit f41380e. Bugbot is set up for automated code reviews on this repo. Configure here.