Remove empty error from responses #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: OSV-Scanner PR Scan | |
| # see https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-reusable-pr.yml | |
| on: | |
| pull_request: | |
| branches: [main] | |
| merge_group: | |
| branches: [main] | |
| permissions: | |
| # Require writing security events to upload SARIF file to security tab | |
| security-events: write | |
| # Only need to read contents | |
| contents: read | |
| jobs: | |
| scan-pr: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # Do persist credentials, as we need it for the git checkout later | |
| - name: "Checkout target branch" | |
| run: git checkout $GITHUB_BASE_REF | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: "Setup venv" | |
| run: python -m venv venv | |
| - name: "Install in venv" | |
| run: ./venv/bin/pip install -e . | |
| - name: "Freeze dependencies" | |
| run: ./venv/bin/pip freeze > ./requirements.txt | |
| - name: "Run scanner on requirements.txt" | |
| uses: google/osv-scanner/actions/scanner@main | |
| continue-on-error: true | |
| with: | |
| scan-args: |- | |
| --format=json | |
| --output=old-results.json | |
| --lockfile=./requirements.txt | |
| - name: "Cleanup venv" | |
| run: rm -rf ./venv | |
| - name: "Checkout current branch" | |
| run: git checkout $GITHUB_SHA | |
| - name: "Setup venv" | |
| run: python -m venv venv | |
| - name: "Install in venv" | |
| run: ./venv/bin/pip install -e . | |
| - name: "Freeze dependencies" | |
| run: ./venv/bin/pip freeze > ./requirements.txt | |
| - name: "Run scanner on new code" | |
| uses: google/osv-scanner/actions/scanner@main | |
| with: | |
| scan-args: |- | |
| --format=json | |
| --output=new-results.json | |
| --lockfile=./requirements.txt | |
| continue-on-error: true | |
| - name: "Run osv-scanner-reporter" | |
| uses: google/osv-scanner/actions/reporter@main | |
| with: | |
| scan-args: |- | |
| --output=results.sarif | |
| --old=old-results.json | |
| --new=new-results.json | |
| --gh-annotations=true | |
| --fail-on-vuln=true | |
| # Upload the results as artifacts (optional). | |
| - name: "Upload artifact" | |
| if: "!cancelled()" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| retention-days: 5 | |
| - name: "Upload old scan json results" | |
| if: "!cancelled()" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: old-json-results | |
| path: old-results.json | |
| retention-days: 5 | |
| - name: "Upload new scan json results" | |
| if: "!cancelled()" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: new-json-results | |
| path: new-results.json | |
| retention-days: 5 | |
| # Upload the results to GitHub's code scanning dashboard. | |
| # - name: "Upload to code-scanning" | |
| # if: "!cancelled()" | |
| # uses: github/codeql-action/upload-sarif@v3 | |
| # with: | |
| # sarif_file: results.sarif |