From 27b5ebc0b455d5da3b705ad8a2a14e839ecebfb3 Mon Sep 17 00:00:00 2001
From: Rex P <106129829+another-rex@users.noreply.github.com>
Date: Thu, 3 Aug 2023 14:59:41 +1000
Subject: [PATCH] Dogfood our OSV-Scanner action! (#1524)

Adds two OSV-Scanner github actions

- `osv-scanner-pr.yml` blocks PRs that introduce new vulnerabilities,
and annotates the vulnerable changed file.
- `osv-scanner-scheduled.yml` runs OSV-Scanner periodically and writes
new vulnerabilities into the security code scanning tab. No notification
system set up, so you have to manually look in code scanning tab for
now.
---
 .github/workflows/osv-scanner-pr.yml        | 29 ++++++++++++++++++++
 .github/workflows/osv-scanner-scheduled.yml | 30 +++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 .github/workflows/osv-scanner-pr.yml
 create mode 100644 .github/workflows/osv-scanner-scheduled.yml

diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml
new file mode 100644
index 00000000000..b0d6880309f
--- /dev/null
+++ b/.github/workflows/osv-scanner-pr.yml
@@ -0,0 +1,29 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: osv-scanner
+
+on:
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  merge_group:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scan-pr-attempt:
+    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable-pr.yml@main"
diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
new file mode 100644
index 00000000000..42079ab6e48
--- /dev/null
+++ b/.github/workflows/osv-scanner-scheduled.yml
@@ -0,0 +1,30 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: osv-scanner
+
+on:
+  schedule:
+    - cron: '12 12 * * 1'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: 
+  security-events: write
+  contents: read
+
+jobs:
+  scan-pr-attempt:
+    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable-scheduled.yml@main"