From 84092c148149a158812440e3b1ccc152e0770d3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20Backstr=C3=B6m?= Date: Tue, 12 Nov 2024 14:46:00 +0100 Subject: [PATCH 1/2] gh: Pin all github actions versions --- .github/workflows/actions-updater.yaml | 6 +- .github/workflows/main.yaml | 76 ++++++++++----------- .github/workflows/pr-comment.yaml | 14 ++-- .github/workflows/sync-github-prs.yaml | 4 +- .github/workflows/sync-github-releases.yaml | 2 +- .github/workflows/update-base.yaml | 4 +- 6 files changed, 53 insertions(+), 53 deletions(-) diff --git a/.github/workflows/actions-updater.yaml b/.github/workflows/actions-updater.yaml index 8c9508102019..bfe85ba783fe 100644 --- a/.github/workflows/actions-updater.yaml +++ b/.github/workflows/actions-updater.yaml @@ -14,17 +14,17 @@ jobs: steps: - name: Generate token id: generate_token - uses: actions/create-github-app-token@v1.10.4 + uses: actions/create-github-app-token@3378cda945da322a8db4b193e19d46352ebe2de5 # ratchet:actions/create-github-app-token@v1.10.4 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PEM }} - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 with: token: ${{ steps.generate_token.outputs.token }} - name: Run GitHub Actions Version Updater - uses: saadmk11/github-actions-version-updater@v0.8.1 + uses: saadmk11/github-actions-version-updater@64be81ba69383f81f2be476703ea6570c4c8686e # ratchet:saadmk11/github-actions-version-updater@v0.8.1 with: token: ${{ steps.generate_token.outputs.token }} pull_request_branch: "github/actions-update" diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index c1e5b0ee0223..3e1085129059 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -41,7 +41,7 @@ jobs: c-code-changes: ${{ steps.c-code-changes.outputs.changes }} all: ${{ steps.apps.outputs.all }} steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -58,7 +58,7 @@ jobs: ALL_APPS=$(jq -n --arg inarr "${ALL_APPS}" '$inarr | split("\n")' | tr '\n' ' ') echo "all=${ALL_APPS}" >> $GITHUB_OUTPUT - name: Check which applications have changed - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # ratchet:dorny/paths-filter@v3.0.2 id: app-changes with: filters: .github/scripts/path-filters.yaml @@ -74,19 +74,19 @@ jobs: echo "changes=${CHANGED_APPS}" >> "$GITHUB_OUTPUT" fi - name: Check if there are any C-code changes, if not then limit CI run - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # ratchet:dorny/paths-filter@v3.0.2 id: c-code-changes with: filters: .github/scripts/c-code-path-filters.yaml - name: Cache pre-built src - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # ratchet:actions/cache@v4.0.2 with: path: otp_src.tar.gz key: prebuilt-src-${{ github.ref_name }}-${{ github.sha }} restore-keys: | prebuilt-src-${{ github.base_ref }}-${{ github.event.pull_request.base.sha }} - name: Cache pre-built binaries - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # ratchet:actions/cache@v4.0.2 with: path: otp_cache.tar.gz key: prebuilt-cache-64-bit-${{ github.ref_name }}-${{ github.sha }} @@ -95,12 +95,12 @@ jobs: - name: Create initial pre-release tar run: .github/scripts/init-pre-release.sh otp_archive.tar.gz otp_src.tar.gz - name: Upload source tar archive - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: otp_git_archive path: otp_archive.tar.gz - name: Check how we can use the pre-built cache - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # ratchet:dorny/paths-filter@v3.0.2 id: cache with: filters: | @@ -139,7 +139,7 @@ jobs: "`pwd`/.github/otp.tar.gz" \ "`pwd`/otp_archive.tar.gz" - name: Upload restored cache - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 if: runner.debug == 1 with: name: restored-cache @@ -166,7 +166,7 @@ jobs: bash -c 'set -x; C_APPS=$(ls -d ./lib/*/c_src); find Makefile ./make ./erts ./bin/`erts/autoconf/config.guess` ./lib/erl_interface ./lib/jinterface ${C_APPS} `echo "${C_APPS}" | sed -e 's:c_src$:priv:'` -type f -newer README.md \! -name "*.beam" \! -path "*/doc/*" | xargs tar --transform "s:^./:otp/:" -uvf /github/otp_cache.tar' gzip otp_cache.tar - name: Upload pre-built tar archives - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: otp_prebuilt path: | @@ -181,16 +181,16 @@ jobs: env: WXWIDGETS_VERSION: 3.1.5 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - name: Download source archive - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/download-artifact@v4.1.8 with: name: otp_prebuilt - name: Cache wxWidgets id: wxwidgets-cache - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # ratchet:actions/cache@v4.0.2 with: path: wxWidgets key: wxWidgets-${{ env.WXWIDGETS_VERSION }}-${{ runner.os }}-${{ hashFiles('.github/scripts/build-macos-wxwidgets.sh')}}-12 @@ -216,7 +216,7 @@ jobs: ./bin/erl -noshell -eval '{wx_ref,_,_,_} = wx:new(), io:format("wx ok~n"), halt().' - name: Upload tarball - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: otp_prebuilt_macos_x86-64 path: otp/otp_macos_*_x86-64.tar.gz @@ -229,9 +229,9 @@ jobs: runs-on: macos-12 needs: pack steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - name: Download source archive - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/download-artifact@v4.1.8 with: name: otp_prebuilt @@ -250,7 +250,7 @@ jobs: xcodebuild -create-xcframework -output ./liberlang.xcframework -library liberlang.a - name: Upload framework - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: ios_framework_${{ env.TARGET_ARCH }} path: otp/liberlang.xcframework @@ -266,7 +266,7 @@ jobs: needs: pack if: needs.pack.outputs.c-code-changes steps: - - uses: Vampire/setup-wsl@v3.1.1 + - uses: Vampire/setup-wsl@6f87de3102a29ac6b92800f33bf1e8d9164ac0a1 # ratchet:Vampire/setup-wsl@v3.1.1 with: distribution: Ubuntu-18.04 @@ -280,7 +280,7 @@ jobs: IF EXIST "c:\\Program Files\\OpenSSL-Win64" (move "c:\\Program Files\\OpenSSL-Win64" "c:\\OpenSSL-Win64") ELSE (move "c:\\Program Files\\OpenSSL" "c:\\OpenSSL-Win64") - name: Cache wxWidgets - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # ratchet:actions/cache@v4.0.2 with: path: wxWidgets key: wxWidgets-${{ env.WXWIDGETS_VERSION }}-${{ runner.os }} @@ -322,7 +322,7 @@ jobs: nmake TARGET_CPU=amd64 BUILD=release SHARED=0 DIR_SUFFIX_CPU= -f makefile.vc - name: Download source archive - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/download-artifact@v4.1.8 with: name: otp_prebuilt @@ -350,7 +350,7 @@ jobs: ./otp_build installer_win32 - name: Upload installer - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: otp_win32_installer path: otp/release/win32/otp*.exe @@ -362,7 +362,7 @@ jobs: if: needs.pack.outputs.c-code-changes steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -390,7 +390,7 @@ jobs: fail-fast: false steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -401,7 +401,7 @@ jobs: runs-on: ubuntu-latest needs: pack steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -423,12 +423,12 @@ jobs: - name: Release docs to publish run: .github/scripts/release-docs.sh - name: Upload html documentation archive - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: otp_doc_html path: otp_doc_html.tar.gz - name: Upload man documentation archive - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: otp_doc_man path: otp_doc_man.tar.gz @@ -446,7 +446,7 @@ jobs: runs-on: ubuntu-latest needs: pack steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -475,7 +475,7 @@ jobs: # type: ["os_mon","sasl"] fail-fast: false steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -512,7 +512,7 @@ jobs: sudo bash -c "chown -R `whoami` make_test_dir && chmod -R +r make_test_dir" tar czf ${{ matrix.type }}_test_results.tar.gz make_test_dir - name: Upload test results - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 if: ${{ !cancelled() }} with: name: ${{ matrix.type }}_test_results @@ -524,12 +524,12 @@ jobs: if: ${{ !cancelled() }} # Run even if the need has failed needs: test steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} - name: Download test results - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/download-artifact@v4.1.8 - name: Merge test results run: | shopt -s nullglob @@ -559,14 +559,14 @@ jobs: -e 's:\(file="erts/\)make_test_dir/[^/]*:\1test:g' \ make_test_dir/*_junit.xml - name: Upload test results - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 if: ${{ !cancelled() }} with: name: test_results path: test_results.tar.gz - name: Upload Test Results if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: Unit Test Results path: | @@ -593,19 +593,19 @@ jobs: echo "tag=${TAG}" >> $GITHUB_OUTPUT echo "vsn=${VSN}" >> $GITHUB_OUTPUT - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 ## Publish the pre-built archive and docs - name: Download source archive - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/download-artifact@v4.1.8 with: name: otp_prebuilt - name: Download html docs - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/download-artifact@v4.1.8 with: name: otp_doc_html - name: Download man docs - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/download-artifact@v4.1.8 with: name: otp_doc_man @@ -624,7 +624,7 @@ jobs: sha256sum $FILES > SHA256.txt - name: Upload pre-built and doc tar archives - uses: softprops/action-gh-release@v2.0.8 + uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # ratchet:softprops/action-gh-release@v2.0.8 with: name: OTP ${{ steps.tag.outputs.vsn }} files: | @@ -643,7 +643,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Upload - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # ratchet:actions/upload-artifact@v4.4.0 with: name: Event File path: ${{ github.event_path }} diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml index 8ebc7c22d42b..d9d29e1659d2 100644 --- a/.github/workflows/pr-comment.yaml +++ b/.github/workflows/pr-comment.yaml @@ -21,7 +21,7 @@ jobs: outputs: result: ${{ steps.pr-number.outputs.result }} steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - name: Fetch PR number id: pr-number env: @@ -40,9 +40,9 @@ jobs: pull-requests: write if: github.event.action == 'requested' && needs.pr-number.outputs.result != '' steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 ## We create an initial comment with some useful help to the user - - uses: actions/github-script@v7.0.1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # ratchet:actions/github-script@v7.0.1 with: script: | const script = require('./.github/scripts/pr-comment.js'); @@ -63,7 +63,7 @@ jobs: needs.pr-number.outputs.result != '' && github.event.workflow_run.conclusion != 'skipped' steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - name: Download and Extract Artifacts id: extract env: @@ -88,14 +88,14 @@ jobs: echo "HAS_TEST_ARTIFACTS=false" >> $GITHUB_OUTPUT fi - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 with: token: ${{ secrets.ERLANG_TOKEN }} repository: 'erlang/erlang.github.io' path: erlang.github.io - name: Publish CT Test Results - uses: EnricoMi/publish-unit-test-result-action@v2.17.1 + uses: EnricoMi/publish-unit-test-result-action@82082dac68ad6a19d980f8ce817e108b9f496c2a # ratchet:EnricoMi/publish-unit-test-result-action@v2.17.1 if: steps.extract.outputs.HAS_TEST_ARTIFACTS == 'true' with: commit: ${{ github.event.workflow_run.head_sha }} @@ -131,7 +131,7 @@ jobs: ## Append some useful links and tips to the test results posted by ## Publish CT Test Results - - uses: actions/github-script@v7.0.1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # ratchet:actions/github-script@v7.0.1 if: always() with: script: | diff --git a/.github/workflows/sync-github-prs.yaml b/.github/workflows/sync-github-prs.yaml index 13c971130f58..9fb4c1c31666 100644 --- a/.github/workflows/sync-github-prs.yaml +++ b/.github/workflows/sync-github-prs.yaml @@ -14,8 +14,8 @@ jobs: concurrency: erlang.github.io-deploy runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v4.1.7 - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 with: token: ${{ secrets.ERLANG_TOKEN }} repository: 'erlang/erlang.github.io' diff --git a/.github/workflows/sync-github-releases.yaml b/.github/workflows/sync-github-releases.yaml index a7ca3e3636c1..a2feff2e688e 100644 --- a/.github/workflows/sync-github-releases.yaml +++ b/.github/workflows/sync-github-releases.yaml @@ -19,7 +19,7 @@ jobs: concurrency: sync-github-releases runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 ## We need to login to the package registry in order to pull ## the base debian image. - name: Docker login diff --git a/.github/workflows/update-base.yaml b/.github/workflows/update-base.yaml index 0e3f2af4f342..2b92d64535d8 100644 --- a/.github/workflows/update-base.yaml +++ b/.github/workflows/update-base.yaml @@ -26,14 +26,14 @@ jobs: fail-fast: false steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 with: ref: ${{ matrix.branch }} - name: Cleanup GH Runner shell: bash run: .github/scripts/cleanup_gh_runner.sh - name: Docker login - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # ratchet:docker/login-action@v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} From 1ae9f847fc26e45945a97e35c42fe82aa3fa5c6a Mon Sep 17 00:00:00 2001 From: Kiko Fernandez-Reyes Date: Mon, 23 Sep 2024 11:23:26 +0200 Subject: [PATCH 2/2] github: add OSV automated vulnerability checking --- .github/workflows/osv-scanner-scheduled.yml | 77 +++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/osv-scanner-scheduled.yml diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml new file mode 100644 index 000000000000..abe6aabec60e --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -0,0 +1,77 @@ +## Runs the Google OSV-scanner utility to detect known vulnerabilities. +## The scan is run on each PR/push and also periodically on each maintained branch +name: Open Source Vulnerabilities Scanner + +on: + pull_request: + push: + workflow_dispatch: + schedule: + - cron: 0 1 * * * + +permissions: + contents: read + +jobs: + schedule-scan: + runs-on: ubuntu-latest + if: github.event_name == 'schedule' && github.repository == 'erlang/otp' + # if: github.event_name != 'workflow_dispatch' # used for testing + outputs: + versions: ${{ steps.get-versions.outputs.versions }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 + - id: get-versions + name: Fetch latest 3 OTP versions + run: | + VSNs=$(grep -E 'OTP-[^.]+[.]0 :' otp_versions.table | awk '{ print $1 '} | head -3 | sed 's/[-.]/ /g' | awk '{print $2}') + versions='["maint", "master"' + for vsn in $VSNs; do + versions="${versions}, \"maint-$vsn\"" + done + versions="${versions}]" + echo "versions=${versions}" >> "$GITHUB_OUTPUT" + + run-scheduled-scan: + # Fan out and create requests to run OSV on multiple branches. + # It always succeed: either it sends requests to branches that + # can run 'scan-pr' (if the repo/branch contains this file) or + # skips sending the request. + needs: schedule-scan + runs-on: ubuntu-latest + strategy: + matrix: + type: ${{ fromJson(needs.schedule-scan.outputs.versions) }} + fail-fast: false + permissions: + actions: write + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 + with: + ref: ${{ matrix.type }} + + - name: Trigger Vulnerability Scanning + env: + GH_TOKEN: ${{ github.token }} + if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }} + run: | + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \ + -f "ref=${{ matrix.type }}" + + scan-pr: + # run-scheduled-scan triggers this job + # PRs and pushes trigger this job + if: github.event_name != 'schedule' + permissions: + # Required to upload SARIF file to CodeQL. + # See: https://github.com/github/codeql-action/issues/2117 + actions: read + # Require writing security events to upload SARIF file to security tab + security-events: write + # Only need to read contents + contents: read + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # ratchet:google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.5