[Security] Post-PR #191 GitHub Actions warning and branch-gate follow-through

[seonghobae]

현재 역할

업무/O1: coordinate post-PR #191 warning/security-gate follow-through on current default branch develop.

현재 상태

PR #191 merged into develop at 80f22c310091091576854049d1fecb084186ef8d. Required post-merge runs are green, but check annotations and branch-protection parity still expose follow-up work that should be handled as a new successor issue instead of reopening #189.

현재 코드 기준 유효성

Verified from fresh Stepwise worktree created from current origin/develop:
/Users/seonghobae/opencode_tasks/bandscope/.worktrees/stepwise-postmerge-strix-warning.

현재 코드 근거

• PR fix: patch rust dependency advisory ownership #191 merged: fix: patch rust dependency advisory ownership #191
• Merge commit: 80f22c310091091576854049d1fecb084186ef8d
• Post-merge default-branch runs passed: bandit, sbom, trivy, secret-scan-gate, codeql, ci, release, security-audit, ossf-scorecard, build-baseline.
• Dependabot dynamic run warning: github/dependabot-action@main uses Node.js 20. Evidence: https://github.com/seonghobae/bandscope/actions/runs/25159436093
• Trivy run warning: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 uses Node.js 20. Evidence: https://github.com/seonghobae/bandscope/actions/runs/25159422973
• Branch protection for main and develop omits trivy-fs-scan, while docs/security/github-required-checks.md lists it as intended required.
• No current Strix workflow/config exists in repo code; stale/planning references remain related evidence, not blockers.

stale한 부분과 재해석

#189 is complete for PR #185 through PR #191 stabilization. This issue is the successor for remaining GitHub Actions runtime warning and branch-gate parity work.

상위/하위/인접 관계

• Milestone / 직무: CodeRabbit Generated Unit Tests: Add unit tests for PR changes #2 v0.1.4 Default-branch Reconciliation & Zero-warning Stabilization
• Predecessor parent / 선행 업무: Post-merge PR #185 stabilization and warning/security follow-through #189
• Completed predecessors / 선행 과업: [Bug] Fix OSSF Scorecard publish failure after PR #185 merge #187, [Security] Track Rust rand advisory and transitive deprecated proc-macro-hack #188
• Related stale rollout context / 유관 이슈: Orchestrate PR #159 Rollout: Diagnostics, Fixes, and AKS Production Deployment #160, Revalidate open develop PR queue after default branch reconciliation #184
• Active candidate PR / 유관 PR: chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 #167

다음 액션

1. Refresh or supersede PR chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 #167 to update Trivy action/runtime warning ownership.
2. Re-check default-branch Trivy annotations after merge.
3. Investigate any repo-owned Node.js 20 action warnings, including dependency review action if present on PR checks.
4. Track github/dependabot-action@main as GitHub/platform-owned if no repo-controlled fix exists.
5. Add trivy-fs-scan to required checks for develop and main, or record exact permission/platform blocker.
6. Re-query Dependabot, code scanning, secret scanning, and branch protection evidence.

완료 조건

• Repo-owned Node.js 20 GitHub Actions warnings are fixed or narrowly tracked with owner/upstream path.
• trivy-fs-scan is required on develop and main, or exact permission/platform blocker is recorded.
• Dependabot, code scanning, and secret scanning alerts are re-queried and documented.
• GitHub Checks pass on the implementation PR.
• Robot reviewer evidence is current-head approved or authoritative skip evidence is recorded.
• Security Notes are included in the PR.

Security Notes

This is supply-chain and GitHub security-gate work. Do not disable Trivy, CodeQL, dependency review, SBOM, OSSF, secret scanning, Windows build, or macOS build gates. Do not hide warnings with broad log filtering. Treat Strix findings as actionable remediation targets, not merge blockers by name alone.

[coderabbitai]

🔗 Related PRs

#21 - chore(deps): consolidate green Dependabot updates [merged]
#54 - docs: align required checks with stable gates [merged]
#60 - fix: include workflow files in secret scan gate [merged]
#83 - Add Trivy filesystem scan to GitHub Actions [merged]
#96 - chore(security): resolve OSSF Scorecard alerts [merged]
#190 - fix: enforce OSSF Scorecard publish constraints [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[seonghobae]

Completed post-PR #191 warning and branch-gate follow-through.\n\nEvidence:\n- PR #167 merged Trivy action warning remediation: https://github.com/seonghobae/bandscope/pull/167\n- PR #193 merged supply-chain warning remediation guidance updates: https://github.com/seonghobae/bandscope/pull/193\n- PR #193 merge commit on develop: 7007825\n- Post-merge develop runs for 7007825 completed successfully:\n - build-baseline: https://github.com/seonghobae/bandscope/actions/runs/25165179911\n - ci: https://github.com/seonghobae/bandscope/actions/runs/25165179885\n - security-audit: https://github.com/seonghobae/bandscope/actions/runs/25165179923\n - codeql: https://github.com/seonghobae/bandscope/actions/runs/25165179867\n - trivy: https://github.com/seonghobae/bandscope/actions/runs/25165179863\n - sbom: https://github.com/seonghobae/bandscope/actions/runs/25165179884\n - ossf-scorecard: https://github.com/seonghobae/bandscope/actions/runs/25165179880\n - secret-scan-gate: https://github.com/seonghobae/bandscope/actions/runs/25165179947\n - bandit: https://github.com/seonghobae/bandscope/actions/runs/25165179886\n - release: https://github.com/seonghobae/bandscope/actions/runs/25165179927\n- Required checks on both develop and main now include trivy-fs-scan along with ci / build-and-test, dependency-review, security-audit, CodeQL, sbom, release-preflight, gate / build / windows, and gate / build / macos.\n- Local verification before merge passed: python3 scripts/checks/verify_docs.py; python3 scripts/checks/verify_supply_chain.py.\n\nSecurity Notes:\n- No security gate was disabled, downgraded, or bypassed.\n- Non-local owner/repo@ref action guidance now explicitly requires maintained refs and immutable SHA pinning, including org-maintained external actions.\n- Local ./ action guidance is separated from non-local action guidance to avoid accidentally exempting external refs from SHA pinning.\n- Remaining known Dependabot advisory baseline remains tracked separately in GitHub Dependabot alerts and was not hidden or reclassified here.