@@ -425,6 +425,50 @@ jobs:
425425 docker run otp "erl ${OPTION} -noshell -s init stop"
426426 done
427427
428+ extract-deps :
429+ name : Extract Dependencies
430+ runs-on : ubuntu-latest
431+ needs :
432+ - pack
433+ steps :
434+ -
uses :
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected] 435+ - uses : ./.github/actions/build-base-image
436+ with :
437+ BASE_BRANCH : ${{ env.BASE_BRANCH }}
438+
439+ # check that PRs do not introduce vulnerabilities in vendor dependencies
440+ - name : ' Vendor Vulnerability Scanning'
441+ run : |
442+ docker run -v $PWD/:/github -v $HOME:$HOME otp \
443+ "/github/.github/scripts/otp-compliance.es sbom osv-scan"
444+
445+ # Upload the deps
446+ - name : " upload osv-scanner deps"
447+ uses :
actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/[email protected] 448+ with :
449+ name : converted-OSV-Scanner-deps
450+ path : $PWD/osv-scanner.json
451+ retention-days : 2
452+
453+ scan-pr :
454+ # run-scheduled-scan triggers this job
455+ # PRs and pushes trigger this job
456+ needs : extract-deps
457+ permissions :
458+ # Require writing security events to upload SARIF file to security tab
459+ security-events : write
460+ # Required to upload SARIF file to CodeQL.
461+ # See: https://github.com/github/codeql-action/issues/2117
462+ actions : read
463+ contents : read
464+ uses :
" google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f" # ratchet:google/osv-scanner-action/.github/workflows/[email protected] 465+ with :
466+ download-artifact : converted-OSV-Scanner-deps
467+ upload-sarif : ${{ github.repository == 'erlang/otp' }}
468+ scan-args : |-
469+ --lockfile=osv-scanner:osv-scanner.json
470+
471+
428472build :
429473 name : Build Erlang/OTP
430474 runs-on : ubuntu-latest
@@ -880,48 +924,6 @@ jobs:
880924 if : github.event_name == 'push'
881925 uses :
advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected] 882926
883- extract-deps :
884- name : Extract Dependencies
885- runs-on : ubuntu-latest
886- needs :
887- - pack
888- steps :
889- -
uses :
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected] 890- - uses : ./.github/actions/build-base-image
891- with :
892- BASE_BRANCH : ${{ env.BASE_BRANCH }}
893-
894- # check that PRs do not introduce vulnerabilities in vendor dependencies
895- - name : ' Vendor Vulnerability Scanning'
896- run : |
897- docker run -v $PWD/:/github -v $HOME:$HOME otp \
898- "/github/.github/scripts/otp-compliance.es sbom osv-scan"
899-
900- name : " upload osv-scanner deps" # Upload the deps
901- uses : actions/upload-artifact@v4
902- with :
903- name : converted-OSV-Scanner-deps
904- path : osv-scanner.json
905- retention-days : 2
906-
907- scan-pr :
908- # run-scheduled-scan triggers this job
909- # PRs and pushes trigger this job
910- needs : extract-deps
911- permissions :
912- # Require writing security events to upload SARIF file to security tab
913- security-events : write
914- # Required to upload SARIF file to CodeQL.
915- # See: https://github.com/github/codeql-action/issues/2117
916- actions : read
917- contents : read
918- uses :
" google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f" # ratchet:google/osv-scanner-action/.github/workflows/[email protected] 919- with :
920- download-artifact : converted-OSV-Scanner-deps
921- upload-sarif : ${{ github.repository == 'erlang/otp' }}
922- scan-args : |-
923- --lockfile=osv-scanner:osv-scanner.json
924-
925927 # vendor-analysis:
926928 # name: Vendor Vulnerability Scanning
927929 # runs-on: ubuntu-latest
0 commit comments