chore: osv-worker deployment

[joanagmaia]

This pull request introduces support for a new osv-worker service in the packages infrastructure. The main changes include adding Docker and service configuration for the new worker, updating build scripts, and integrating new start and development scripts. Additionally, the OSV sync workflow is updated to use its dedicated task queue.

New osv-worker service integration:

• Added a new Docker Compose YAML file (osv-worker.yaml) to define the osv-worker and osv-worker-dev services, including environment variables, build context, and volume mounts for development.
• Updated the list of services in packages.env to include osv-worker for Docker builds.

Script and workflow updates:

• Added new npm scripts in package.json for starting and developing the osv-worker, including local development variants. [1] [2]
• Changed the taskQueue in scheduleOsvSync from packages-worker to osv-worker to route OSV sync jobs to the new worker.

---

Note

Medium Risk
Routing the OSV schedule to osv-worker requires that worker to be running in each environment; otherwise scheduled sync workflows will not execute until deployment catches up.

Overview
Splits OSV advisory sync onto its own Temporal worker so it no longer shares the packages-worker queue.

Adds osv-worker to the packages Docker build list, a Compose file for prod (osv-worker) and dev (osv-worker-dev) with the osv-worker task queue, and start/dev/dev:local npm scripts plus src/bin/osv-worker.ts that initializes the service, registers the OSV schedule, then starts the worker. scheduleOsvSync now starts osvSync on task queue osv-worker instead of packages-worker.

^{Reviewed by Cursor Bugbot for commit f580bd7. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[Copilot]

Pull request overview

This PR introduces a dedicated Temporal worker service (osv-worker) for OSV advisory sync within the packages_worker app, moving OSV scheduled workflow executions off the shared packages-worker queue.

Changes:

• Route the OSV sync schedule to the osv-worker Temporal task queue.
• Add a new osv-worker entrypoint plus start/dev scripts to run it.
• Add Docker Compose service definitions and include osv-worker in the packages build service list.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
services/apps/packages_worker/src/osv/schedule.ts	Updates the OSV schedule’s taskQueue to osv-worker.
services/apps/packages_worker/src/bin/osv-worker.ts	Adds a dedicated worker entrypoint that initializes the service, registers the OSV schedule, then starts the worker.
services/apps/packages_worker/package.json	Adds start:osv-worker, dev:osv-worker, and dev:osv-worker:local scripts.
scripts/services/osv-worker.yaml	Adds compose definitions for osv-worker and osv-worker-dev.
scripts/builders/packages.env	Adds osv-worker to the packages services build list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.