fix: improve release job conditions to handle skipped dependencies (#326)

sapientpants · claude · web-flow · commit 93c8ae3968ac · 2025-10-14T21:16:51.000+02:00
* fix: improve release job conditions to handle skipped dependencies Updated the create-release job condition to properly handle cases where docker and npm jobs are skipped instead of failing. The release will now proceed if build succeeded and docker/npm either succeeded or were skipped. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: configure osv-scanner to ignore validator dev dependency issue Added osv-scanner.toml configuration to ignore GHSA-9965-vmph-33xx for the validator package since it's a dev-only dependency not exposed in production. The vulnerability is medium severity (CVSS 6.1) with no fix available yet. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: add empty changeset for osv-scanner configuration This changeset is empty because the osv-scanner.toml configuration change is dev-only and does not require a release. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.changeset/fine-pianos-lead.md b/.changeset/fine-pianos-lead.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -273,7 +273,12 @@ jobs:
   create-release:
     name: Create GitHub Release
     needs: [build, docker, npm]
-    if: needs.build.outputs.changed == 'true'
+    # Run if build succeeded AND docker/npm either succeeded or were skipped
+    if: |
+      needs.build.outputs.changed == 'true' &&
+      !cancelled() &&
+      (needs.docker.result == 'success' || needs.docker.result == 'skipped') &&
+      (needs.npm.result == 'success' || needs.npm.result == 'skipped')
     runs-on: ubuntu-latest
     outputs:
       released: ${{ steps.release.outputs.released }}
diff --git a/osv-scanner.toml b/osv-scanner.toml
@@ -0,0 +1,12 @@
+# OSV Scanner Configuration
+# Documentation: https://google.github.io/osv-scanner/configuration/
+
+# Ignored vulnerabilities
+# These vulnerabilities are acknowledged and accepted as risk
+[[IgnoredVulns]]
+id = "GHSA-9965-vmph-33xx"
+# Reason: validator package is dev-only dependency (not in production)
+# Impact: Medium severity (CVSS 6.1)
+# Status: No fix available yet
+# Review date: 2025-10-14
+reason = "Dev-only dependency, not exposed in production"
