feat: add Cloudsmith scanPackage, getPackageVulnerabilities and quarantinePackage components

[felixgateru]

What changed

Extended the Cloudsmith integration with three new action components, built on top of the existing getPackage / resyncPackage / tagPackage / deletePackage actions:

• Scan Package (cloudsmith.scanPackage) — schedules a vulnerability scan for a package.
• Quarantine Package (cloudsmith.quarantinePackage) — quarantines or releases a package.
• Get Package Vulnerabilities (cloudsmith.getPackageVulnerabilities) — fetches the latest vulnerability scan result for a package.

Why

To automate security workflows around Cloudsmith packages — trigger an on-demand scan after upload or before promotion, gate releases on vulnerability findings, and quarantine (or later release) packages that violate security/license policy. Scan results are asynchronous, so scanPackage schedules the scan while getPackageVulnerabilities retrieves the outcome once it completes.

How

Backend

Extended pkg/integrations/cloudsmith/ with:

• scan_package.go — cloudsmith.scanPackage action; calls the package /scan/ endpoint and emits the repository/package identifiers confirming the scan was scheduled.
• quarantine_package.go — cloudsmith.quarantinePackage action with a Quarantine/Release select; calls the /quarantine/ endpoint and emits the updated package object.
• get_package_vulnerabilities.go — cloudsmith.getPackageVulnerabilities action; reads the top-level /vulnerabilities/ endpoint and emits the most recent scan result (severity, counts, package ref).
• client.go — added ScanPackage, QuarantinePackage (+ PackageQuarantineRequest), and GetPackageVulnerabilities (+ VulnerabilityScanResult / VulnerabilityPackageRef) client methods/types.
• cloudsmith.go — registered the three new actions.
• example.go + example output JSON files for each component.
• All three actions support expressions in the repository and package fields for dynamic runtime values, and reuse the existing resolvePackageMetadata / parseRepositoryID helpers.
• Added backend tests for each component (setup validation, metadata resolution, execute, API errors).

Frontend

Added web_src/src/pages/app/mappers/cloudsmith/:

• scan_package.ts, quarantine_package.ts, get_package_vulnerabilities.ts — node mappers with subtitles and execution-details rendering.
• index.ts — registered the three mappers and their event-state entries (quarantinePackage uses a custom state registry for quarantine vs. release).
• types.ts — added ScanPackageConfiguration, QuarantinePackageConfiguration, GetPackageVulnerabilitiesConfiguration, VulnerabilityScanResult, and VulnerabilityPackageRef.
• Added frontend spec tests for each mapper.

[superplanehq-integration]

👋 Commands for maintainers:

• /sp start - Start an ephemeral machine (takes ~30s)
• /sp stop - Stop a running machine (auto-executed on pr close)

[superplane-gh-integration-9000]

Docs Impact Review

This PR adds three new Cloudsmith components that form a multi-step, asynchronous vulnerability management pipeline; the component reference docs are updated, but a workflow overview section explaining how the pieces chain together is missing.

Suggested docs updates:

• docs/components/Cloudsmith.mdx — add a Vulnerability Scanning Workflow section near the top of the page (after the Actions card grid) that explains the end-to-end async pipeline: Scan Package schedules the scan → the On Vulnerability Scan Completed trigger fires when results are ready → Get Package Vulnerabilities retrieves the findings → Quarantine Package takes action. A short sequence diagram or numbered list would make the asynchronous, multi-node nature clear to users who are looking at the components individually and may not realize they are designed to work together.

Why: The three new components introduce an asynchronous, cross-component security workflow that is not obvious from reading each component's section in isolation. The Scan Package docs mention the async pattern in one sentence ("use the On Vulnerability Scan Completed trigger or the Get Package Vulnerabilities action to retrieve results"), but there is no single place that shows users how to wire the full pipeline together. This kind of cross-component sequencing is exactly the gap the guidelines flag: a capability that changes how users think about the integration and belongs in a concept-level explanation, not just in per-component field descriptions.

---

Maintainer commands

Command	What it does
/docs-agree	Open a tracking issue in superplanehq/docs and assign it to you.
/docs-reject <reason>	Dismiss this check. A short reason is required (e.g. /docs-reject not user-facing).

Posted automatically by warp-gateway · commit a073488

[superplane-gh-integration-9000]

Risk: 28/100 (low)

Summary

Adds three new Cloudsmith action components (ScanPackage, QuarantinePackage, GetPackageVulnerabilities) in Go and TypeScript, following the same patterns as the existing Cloudsmith actions merged in #5568.

Concerns

• QuarantinePackage.Execute error message says 'failed to quarantine package' even when action is Release.
• GetPackageVulnerabilities client method does not handle API pagination; assumes first page contains the latest scan.
• Quarantine action can silently default to 'Quarantine' when spec.Action is empty during execution (no validation in Execute path, only in Setup).

Recommended reviewers: bender-rodriguez-unit1

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a5d217f. Configure here.}