From a7e27b9b68975110d5572c3c96dea38d1afc6784 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Thu, 17 Jul 2025 17:23:33 +0100 Subject: [PATCH] workflow: Fix osv-scanner action - The github generated template had an old version which isn't valid for the pr-scan, so update to the latest - The action needs also `actions: read` and `contents:read` to run in kata-containers Signed-off-by: stevenhorsman --- .github/workflows/osv-scanner.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml index 9f74345b14..3bf957a271 100644 --- a/.github/workflows/osv-scanner.yaml +++ b/.github/workflows/osv-scanner.yaml @@ -18,23 +18,24 @@ on: jobs: scan-scheduled: permissions: + actions: read # # Required to upload SARIF file to CodeQL + contents: read # Read commit contents security-events: write # Require writing security events to upload SARIF file to security tab if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0 with: - # Example of specifying custom arguments scan-args: |- -r - --skip-git ./ scan-pr: permissions: + actions: read # Required to upload SARIF file to CodeQL + contents: read # Read commit contents security-events: write # Require writing security events to upload SARIF file to security tab if: ${{ github.event_name == 'pull_request' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0 with: # Example of specifying custom arguments scan-args: |- -r - --skip-git ./