diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 9706dc191fc..651fd009d29 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -475,15 +475,14 @@ jobs: # this is a call to a workflow_call pr-vendor-vulnerability-analysis: needs: modified-vendor-files - if: ${{ needs.modified-vendor-files.outputs.vendor-files == 'true' && github.event_name == 'pull_request'}} + if: ${{ needs.modified-vendor-files.outputs.vendor-files == 'true' && github.event_name == 'pull_request' && github.repository == 'erlang/otp'}} permissions: - security-events: read - issues: write + actions: read name: Vendor Vulnerability Scanning uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml with: - fail_if_cve: false - checkout: false + fail_if_cve: true + checkout: true version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }} # equivalent of ${{ env.BASE_BRANCH }} but reusable-workflows do not allow to pass env. secrets: inherit diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index 3ab3e9be42b..02ca0f04dc6 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -57,11 +57,7 @@ jobs: type: ${{ fromJson(needs.schedule-scan.outputs.versions) }} fail-fast: false permissions: - security-events: read - issues: write - actions: write - contents: write - pull-requests: write + actions: read steps: # this call to a workflow_dispatch ref=master is important because # using ref={{matrix.type}} would trigger the workflow diff --git a/.github/workflows/reusable-vendor-vulnerability-scanner.yml b/.github/workflows/reusable-vendor-vulnerability-scanner.yml index 0bf681c0355..cd2988b8d27 100644 --- a/.github/workflows/reusable-vendor-vulnerability-scanner.yml +++ b/.github/workflows/reusable-vendor-vulnerability-scanner.yml @@ -51,7 +51,7 @@ on: default: 'master' type: 'string' fail_if_cve: - description: 'Fail if CVE is found' + description: 'Fail if CVE is found and create issue' required: true default: false type: boolean @@ -72,7 +72,7 @@ on: default: 'master' type: 'string' fail_if_cve: - description: 'Fail if CVE is found' + description: 'Fail if CVE is found and create issue' required: true default: false type: boolean @@ -92,8 +92,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} permissions: - security-events: read - issues: write + actions: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2 with: @@ -103,8 +102,14 @@ jobs: with: otp-version: '28' + - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # ratchet:actions/create-github-app-token@v2.1.4 + id: app-token + with: + # required + app-id: ${{ vars.ERLANG_VENDOR_SCANNER_APP_ID }} + private-key: ${{ secrets.ERLANG_VENDOR_SCANNER_BOT_PRIVATE_KEY }} + - name: 'Analysis of dependencies from OpenVEX in ${{ inputs.version }}' - id: analysis run: | curl -L \ -H "Accept: application/vnd.github+json" \ @@ -115,6 +120,6 @@ jobs: chmod +x otp-compliance.es cp otp-compliance.es /home/runner/work/otp/otp/.github/scripts/otp-compliance.es cd /home/runner/work/otp/otp && \ - .github/scripts/otp-compliance.es sbom osv-scan \ + GH_TOKEN="${{ steps.app-token.outputs.token }}" .github/scripts/otp-compliance.es sbom osv-scan \ --version ${{ inputs.version }} \ --fail_if_cve ${{ inputs.fail_if_cve }}