run on workflow containing pack

Author: kikofernandez

.github/workflows/main.yaml

@@ -880,12 +880,11 @@ jobs:
         if: github.event_name == 'push'
         uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected]
 
-  vendor-analysis:
-    name: Vendor Vulnerability Scanning
+  extract-deps:
+    name: Extract Dependencies
     runs-on: ubuntu-latest
     needs:
-        - pack
-
+      - pack
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
       - uses: ./.github/actions/build-base-image
@@ -898,6 +897,49 @@ jobs:
           docker run -v $PWD/:/github -v $HOME:$HOME otp \
             "/github/.github/scripts/otp-compliance.es sbom osv-scan"
 
+      - name: "upload osv-scanner deps" # Upload the deps
+        uses: actions/upload-artifact@v4
+        with:
+          name: converted-OSV-Scanner-deps
+          path: osv-scanner.json
+          retention-days: 2
+
+  scan-pr:
+    # run-scheduled-scan triggers this job
+    # PRs and pushes trigger this job
+    needs: extract-deps
+    permissions:
+        # Require writing security events to upload SARIF file to security tab
+        security-events: write
+        # Required to upload SARIF file to CodeQL.
+        # See: https://github.com/github/codeql-action/issues/2117
+        actions: read
+        contents: read
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f" # ratchet:google/osv-scanner-action/.github/workflows/[email protected]
+    with:
+        download-artifact: converted-OSV-Scanner-deps
+        upload-sarif: ${{ github.repository == 'erlang/otp' }}
+        scan-args: |-
+            --lockfile=osv-scanner:osv-scanner.json
+
+  # vendor-analysis:
+  #   name: Vendor Vulnerability Scanning
+  #   runs-on: ubuntu-latest
+  #   needs:
+  #       - pack
+
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+  #     - uses: ./.github/actions/build-base-image
+  #       with:
+  #           BASE_BRANCH: ${{ env.BASE_BRANCH }}
+
+  #     # check that PRs do not introduce vulnerabilities in vendor dependencies
+  #     - name: 'Vendor Vulnerability Scanning'
+  #       run: |
+  #         docker run -v $PWD/:/github -v $HOME:$HOME otp \
+  #           "/github/.github/scripts/otp-compliance.es sbom osv-scan"
+
   ## If this is an "OTP-*" tag that has been pushed we do some release work
   release:
     name: Release Erlang/OTP

.github/workflows/osv-scanner-scheduled.yml

@@ -101,6 +101,7 @@ jobs:
   scan-pr:
     # run-scheduled-scan triggers this job
     # PRs and pushes trigger this job
+    needs: extract-deps
     if: github.event_name != 'schedule'
     permissions:
         # Require writing security events to upload SARIF file to security tab
@@ -111,6 +112,7 @@ jobs:
         contents: read
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f" # ratchet:google/osv-scanner-action/.github/workflows/[email protected]
     with:
+        download-artifact: converted-OSV-Scanner-deps
         upload-sarif: ${{ github.repository == 'erlang/otp' }}
         scan-args: |-
             --lockfile=osv-scanner:osv-scanner.json