diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 8ebe841b17..30299180ea 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -16,76 +16,8 @@ permissions: jobs: scan-pr: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - # Do persist credentials, as we need it for the git checkout later - - name: "Checkout target branch" - run: git checkout $GITHUB_BASE_REF - - name: "Rename constraints.txt file" - run: cp ./constraints.txt /tmp/requirements.txt - - name: "Run scanner on existing code" - uses: google/osv-scanner/actions/scanner@main - continue-on-error: true - with: - scan-args: |- - --format=json - --output=old-results.json - -r - --skip-git - --lock-file=./package-lock.json - --lock-file=/tmp/requirements.txt - - name: "Checkout current branch" - run: git checkout $GITHUB_SHA - - name: "Rename constraints.txt file" - run: cp ./constraints.txt /tmp/requirements.txt - - name: "Run scanner on new code" - uses: google/osv-scanner/actions/scanner@main - with: - scan-args: |- - --format=json - --output=old-results.json - -r - --skip-git - --lock-file=./package-lock.json - --lock-file=/tmp/requirements.txt - continue-on-error: true - - name: "Run osv-scanner-reporter" - uses: google/osv-scanner/actions/reporter@main - with: - scan-args: |- - --output=results.sarif - --old=old-results.json - --new=new-results.json - --gh-annotations=true - --fail-on-vuln=true - # Upload the results as artifacts (optional). - - name: "Upload artifact" - if: "!cancelled()" - uses: actions/upload-artifact@v4 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - name: "Upload old scan json results" - if: "!cancelled()" - uses: actions/upload-artifact@v4 - with: - name: old-json-results - path: old-results.json - retention-days: 5 - - name: "Upload new scan json results" - if: "!cancelled()" - uses: actions/upload-artifact@v4 - with: - name: new-json-results - path: new-results.json - retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - if: "!cancelled()" - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif + uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable-pr.yml@v1.7.0" + with: + scan-args: |- + --lockfile ./package-lock.json + --lockfile requirements.txt:./constraints.txt diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 292dbabd55..513fc138ff 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -17,43 +17,8 @@ permissions: jobs: scan-scheduled: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - name: "Rename constraints.txt file" - run: cp ./constraints.txt /tmp/requirements.txt - - name: "Run scanner" - uses: google/osv-scanner/actions/scanner@main - continue-on-error: true - with: - scan-args: |- - --format=json - --output=results.json - -r - --skip-git - --lock-file=./package-lock.json - --lock-file=/tmp/requirements.txt - - name: "Run osv-scanner-reporter" - uses: google/osv-scanner/actions/reporter@main - with: - scan-args: |- - --output=results.sarif - --new=results.json - --gh-annotations=false - --fail-on-vuln=true - # Upload the results as artifacts. - - name: "Upload artifact" - if: "!cancelled()" - uses: actions/upload-artifact@v4 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - if: "!cancelled()" - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif + uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@v1.7.0" + with: + scan-args: |- + --lockfile ./package-lock.json + --lockfile requirements.txt:./constraints.txt