Fix OSV scanner workflow

zentralopensource · Aug 28, 2024 · ba2f87e · ba2f87e
1 parent 034c450
commit ba2f87e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 31 deletions.
diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -1,23 +1,38 @@
----
-name: OSV-Scanner Scheduled Scan
-# see https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-reusable.yml
+# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
+# in addition to a PR check which fails if new vulnerabilities are introduced.
+#
+# For more examples and options, including how to ignore specific vulnerabilities,
+# see https://google.github.io/osv-scanner/github-action/
+
+name: OSV-Scanner
 
 on:
+  pull_request:
+    branches: [ "main" ]
+  merge_group:
+    branches: [ "main" ]
   schedule:
-    - cron: "30 12 * * 1"
+    - cron: '28 22 * * 1'
   push:
-    branches: [main]
-  workflow_dispatch:
+    branches: [ "main" ]
 
 permissions:
   # Require writing security events to upload SARIF file to security tab
   security-events: write
-  # Only need to read contents
+  # Read commit contents
   contents: read
 
 jobs:
   scan-scheduled:
-    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main"
+    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@678a866dcba398c8ed0124a09928d250f187b52a" # v1.8.4
+    with:
+      scan-args: |-
+        --lockfile ./package-lock.json
+        --lockfile requirements.txt:./constraints.txt
+  scan-pr:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@678a866dcba398c8ed0124a09928d250f187b52a" # v1.8.4
     with:
       scan-args: |-
         --lockfile ./package-lock.json