Bump google/osv-scanner-action from 2.2.4 to 2.3.0 (#27) #54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: OSV-Scanner Scheduled Scan | |
| # see https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-reusable.yml | |
| on: | |
| schedule: | |
| - cron: "30 12 * * 1" | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| # Require writing security events to upload SARIF file to security tab | |
| security-events: write | |
| # Only need to read contents | |
| contents: read | |
| # see https://github.com/google/osv-scanner-action/blob/main/.github/workflows/osv-scanner-reusable.yml | |
| jobs: | |
| scan-scheduled: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.12' | |
| - name: "Setup venv" | |
| run: python -m venv venv | |
| - name: "Install in venv" | |
| run: ./venv/bin/pip install -e '.[full]' | |
| - name: "Freeze dependencies" | |
| run: ./venv/bin/pip freeze > ./requirements.txt | |
| - name: "Run scanner" | |
| uses: google/osv-scanner-action/osv-scanner-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0 | |
| with: | |
| scan-args: |- | |
| --format=json | |
| --output=results.json | |
| --lockfile=./requirements.txt | |
| continue-on-error: true | |
| - name: "Run osv-scanner-reporter" | |
| uses: google/osv-scanner-action/osv-reporter-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0 | |
| with: | |
| scan-args: |- | |
| --output=results.sarif | |
| --new=results.json | |
| --gh-annotations=false | |
| --fail-on-vuln=true | |
| # Upload the results as artifacts. | |
| - name: "Upload artifact" | |
| if: "!cancelled()" | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| retention-days: 5 | |
| # Upload the results to GitHub's code scanning dashboard. | |
| - name: "Upload to code-scanning" | |
| if: "!cancelled()" | |
| uses: github/codeql-action/upload-sarif@16df4fbc19aea13d921737861d6c622bf3cefe23 # v2.23.0 | |
| with: | |
| sarif_file: results.sarif |