From f002c148a500eea689c900b758ee5516771ebdfd Mon Sep 17 00:00:00 2001 From: Thomas Leplus Date: Sun, 5 May 2024 12:43:56 -0300 Subject: [PATCH] Switch to GitHub action --- .github/workflows/osv-scanner.yml | 62 +++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 20 deletions(-) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 0844e8b..8623de9 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -1,27 +1,49 @@ --- -name: "OSV Scanner" +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities, +# in addition to a PR check which fails if new vulnerabilities are introduced. +# +# For more examples and options, including how to ignore specific vulnerabilities, +# see https://google.github.io/osv-scanner/github-action/ + +name: OSV-Scanner on: + pull_request: + branches: [ "main" ] + merge_group: + branches: [ "main" ] schedule: - - cron: '0 0 * * 0' - workflow_dispatch: + - cron: '0 0 * * 0' + push: + branches: [ "main" ] -permissions: {} +permissions: + # Require writing security events to upload SARIF file to security tab + security-events: write + # Read commit contents + contents: read jobs: - - check: - name: Check with OSV Scanner - runs-on: ubuntu-latest - steps: - - name: Check out - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 - with: - go-version: 'stable' - check-latest: true - - name: Install OSV Scanner - run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1 - - name: OSV Scanner - run: 'PATH="${PATH}:$(go env GOPATH)/bin" osv-scanner -r .' + scan-scheduled: + if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ + scan-pr: + if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./