ci: split tests into separate workflow to avoid running on irrelevant changes

Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from
`checks.yml` into a new `tests.yml` workflow file.

Configured `paths-ignore` for the `tests.yml` workflow so that these long-running
tests are skipped if changes only affect markdown files, documentation,
or other unrelated GitHub Actions workflows. This prevents unnecessary test runs
while still executing quick lint and formatting checks in `checks.yml`.

Additionally, fixed zizmor alerts for cache poisoning and credential persistence
in the docker job, and formatted the new file with prettier.

Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com>

Author: google-labs-jules[bot]

.github/workflows/tests.yml

@@ -78,7 +78,6 @@ jobs:
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: image-testdata-${{ github.run_number }}-*
-          merge-multiple: true
           path: cmd/osv-scanner/scan/image/testdata/
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0

cmd/osv-scanner/fix/__snapshots__/command_test.snap

@@ -9204,7 +9204,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
         {
           "name": "org.codehaus.plexus:plexus-utils",
           "versionFrom": "3.0",
-          "versionTo": "4.0.3",
+          "versionTo": "3.6.1",
           "transitive": false
         }
       ],
@@ -9358,7 +9358,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
-      <version>4.0.3</version>
+      <version>3.6.1</version>
     </dependency>
   </dependencies>
 </project>
@@ -9512,7 +9512,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
 Found 13 vulnerabilities matching the filter
 Can fix 13/13 matching vulnerabilities by overriding 4 dependencies
 OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13
-OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3
+OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1
 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0
 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3
 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c
@@ -9566,7 +9566,7 @@ UNFIXABLE-VULNS: 0
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
-      <version>4.0.3</version>
+      <version>3.6.1</version>
     </dependency>
   </dependencies>
 </project>
@@ -11354,7 +11354,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
 Found 13 vulnerabilities matching the filter
 Can fix 13/13 matching vulnerabilities by overriding 4 dependencies
 OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13
-OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3
+OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1
 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0
 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3
 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c
@@ -11408,7 +11408,7 @@ UNFIXABLE-VULNS: 0
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
-      <version>4.0.3</version>
+      <version>3.6.1</version>
     </dependency>
   </dependencies>
 </project>

cmd/osv-scanner/mcp/__snapshots__/integration_test.snap

@@ -24,7 +24,6 @@ lockfile:<rootdir>/testdata/go-project/go.mod: found 1 package with issues
       Severity: '5.9'; Minimal Fix Version: '1.1.0';
 
   1 known vulnerability found in lockfile:<rootdir>/testdata/go-project/go.mod
-Hiding 9 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
-
+Hiding 15 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
 
 ---

cmd/osv-scanner/scan/image/__snapshots__/command_test.snap

@@ -1202,6 +1202,34 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 ---
 
+[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 1]
+Scanning local image tarball "./testdata/test-ubuntu-homebrew.tar"
+skipping file "home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/.git/objects/pack/pack-0113dab039640255baab5438994e90f67a4c482c.pack" because its size (1155620741 bytes) is larger than the max size (1073741824 bytes)
+
+
+Container Scanning Result (Ubuntu 22.04.5 LTS):
+Total 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+0 vulnerabilities can be fixed.
+
+
+GIT
++------------------------------------------------------------------------------------------------------------------------------------------------------+
+| Source:os:/home/linuxbrew/.linuxbrew/Cellar/cjson/1.7.17/INSTALL_RECEIPT.json                                                                        |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+| SOURCE PACKAGE                      | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+| https://github.com/DaveGamble/cJSON | 1.7.17            | No fix available |          3 |                         | # 19 Layer       | --            |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
+
+---
+
+[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 2]
+
+---
+
 [TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 1]
 {
   "results": [

cmd/osv-scanner/scan/image/command_test.go

@@ -352,6 +352,17 @@ func TestCommand_OCIImage(t *testing.T) {
 			},
 			Exit: 1,
 		},
+		{
+			Name: "scanning_ubuntu_image_with_homebrew_extractor",
+			Args: []string{
+				"", "image",
+				"--experimental-plugins", "os/homebrew",
+				"--experimental-plugins", "misc/brew-source",
+				"--experimental-no-default-plugins",
+				"--archive", "./testdata/test-ubuntu-homebrew.tar",
+			},
+			Exit: 1,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.Name, func(t *testing.T) {

cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml

@@ -15602,3 +15602,62 @@ interactions:
       status: 200 OK
       code: 200
       duration: 0s
+  - request:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      content_length: 171
+      host: api.osv.dev
+      body: |
+        {
+          "queries": [
+            {
+              "package": {
+                "ecosystem": "GIT",
+                "name": "https://github.com/davegamble/cjson"
+              },
+              "version": "1.7.17"
+            }
+          ]
+        }
+      headers:
+        Content-Type:
+          - application/json
+        X-Test-Name:
+          - TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor
+      url: https://api.osv.dev/v1/querybatch
+      method: POST
+    response:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      content_length: 220
+      body: |
+        {
+          "results": [
+            {
+              "vulns": [
+                {
+                  "id": "CVE-2023-53154",
+                  "modified": "2026-03-14T12:23:16.581554Z"
+                },
+                {
+                  "id": "CVE-2024-31755",
+                  "modified": "2026-03-14T12:30:30.932017Z"
+                },
+                {
+                  "id": "CVE-2025-57052",
+                  "modified": "2026-03-23T05:11:28.908372Z"
+                }
+              ]
+            }
+          ]
+        }
+      headers:
+        Content-Length:
+          - "220"
+        Content-Type:
+          - application/json
+      status: 200 OK
+      code: 200
+      duration: 0s

cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile

@@ -0,0 +1,13 @@
+FROM ghcr.io/homebrew/ubuntu22.04:5.1.4@sha256:6b3c4bc0a7128cf5a78d2e641da6e88ac4195714e1315c4d2b522532d7fb1e7a
+
+USER linuxbrew
+WORKDIR /home/linuxbrew
+
+ENV HOMEBREW_NO_AUTO_UPDATE=1 \
+    NONINTERACTIVE=1
+
+# Install vulnerable package
+RUN brew install cjson
+
+# Make it vulnerable :)
+RUN mv .linuxbrew/Cellar/cjson/* .linuxbrew/Cellar/cjson/1.7.17