chore: update pvtr plugin to v0.24.0+2fixes#4314
Conversation
Bumps pvtr-github-repo-scanner from v0.23.2 (c7bd9538) to commit c1095c95, which is post-v0.24.0 and includes two required fixes: - fix(OSPS-BR-07.01): consult Security Insights when security_and_analysis is null - fix(OSPS-LE-02.01): pass deprecated but OSI/FSF-approved SPDX IDs Also updates the plugin build stage to golang:1.26.4-alpine3.22, required by go.mod at the new commit (go 1.26.4). Privateer binary stays at 0.21.2, confirmed compatible by pvtr's own Dockerfile. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
There was a problem hiding this comment.
Pull request overview
This PR bumps the pvtr-github-repo-scanner plugin used by the security_best_practices_worker image from the v0.23.2 pin (commit c7bd9538) to a post-v0.24.0 commit (c1095c95, labeled "v0.24.0+2fixes"), which pulls in two required OSPS bug fixes. The change is isolated to a single build Dockerfile and involves no application code. I verified the change against the upstream scanner repo at the pinned commit: its go.mod declares go 1.26.4 and its own Dockerfile uses golang:1.26.4-alpine3.22 (digest-pinned), so the base-image change and version bump are correct and consistent. No other references to the old version or commit exist elsewhere in the repo.
Changes:
- Bump
PVTR_VERSIONtov0.24.0andPVTR_COMMITtoc1095c95…, updating the accompanying comment to match. - Update the plugin build stage base image from
golang:1.26.3-alpine3.23togolang:1.26.4-alpine3.22(matches upstreamgo 1.26.4requirement).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
pvtr-github-repo-scannercommit fromc7bd9538(v0.23.2) toc1095c95(post-v0.24.0 HEAD)fix(OSPS-BR-07.01)(consult Security Insights whensecurity_and_analysisis null) andfix(OSPS-LE-02.01)(pass deprecated but OSI/FSF-approved SPDX IDs)golang:1.26.3-alpine3.23togolang:1.26.4-alpine3.22— required by go.mod at new commit (go 1.26.4); matches pvtr's own Dockerfile0.21.2(confirmed compatible)No breaking changes
All commits between v0.23.2 and the new HEAD are dependency bumps, CI fixes, and the two bug fixes above.
🤖 Generated with Claude Code
Note
Low Risk
Docker-only dependency pin and toolchain bump for the security scanner plugin; no application code changes and behavior is limited to more accurate OSPS evaluation.
Overview
Bumps the Privateer GitHub repo scanner baked into
Dockerfile.security_best_practices_worker:PVTR_VERSIONmoves to v0.24.0 andPVTR_COMMITto c1095c95 (post-v0.24.0), replacing the v0.23.2 pin. That commit carries OSPS-BR-07.01 (use Security Insights whensecurity_and_analysisis null) and OSPS-LE-02.01 (accept deprecated but OSI/FSF-approved SPDX license IDs).The plugin build stage switches from
golang:1.26.3-alpine3.23togolang:1.26.4-alpine3.22to match the scanner’sgo.modat the new commit. The Privateer core binary stays at 0.21.2.Reviewed by Cursor Bugbot for commit 01742f6. Bugbot is set up for automated code reviews on this repo. Configure here.