From 1ae9f847fc26e45945a97e35c42fe82aa3fa5c6a Mon Sep 17 00:00:00 2001
From: Kiko Fernandez-Reyes <kiko@erlang.org>
Date: Mon, 23 Sep 2024 11:23:26 +0200
Subject: [PATCH] github: add OSV automated vulnerability checking

---
 .github/workflows/osv-scanner-scheduled.yml | 77 +++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 .github/workflows/osv-scanner-scheduled.yml

diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
new file mode 100644
index 00000000000..abe6aabec60
--- /dev/null
+++ b/.github/workflows/osv-scanner-scheduled.yml
@@ -0,0 +1,77 @@
+## Runs the Google OSV-scanner utility to detect known vulnerabilities.
+## The scan is run on each PR/push and also periodically on each maintained branch
+name: Open Source Vulnerabilities Scanner
+
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 1 * * *
+
+permissions:
+  contents: read
+
+jobs:
+  schedule-scan:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' && github.repository == 'erlang/otp'
+    # if: github.event_name != 'workflow_dispatch' # used for testing
+    outputs:
+       versions: ${{ steps.get-versions.outputs.versions }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7
+      - id: get-versions
+        name: Fetch latest 3 OTP versions
+        run: |
+          VSNs=$(grep -E 'OTP-[^.]+[.]0 :' otp_versions.table | awk '{ print $1 '} | head -3 | sed 's/[-.]/ /g' | awk '{print $2}')
+          versions='["maint", "master"'
+          for vsn in $VSNs; do
+            versions="${versions}, \"maint-$vsn\""
+          done
+          versions="${versions}]"
+          echo "versions=${versions}" >> "$GITHUB_OUTPUT"
+
+  run-scheduled-scan:
+    # Fan out and create requests to run OSV on multiple branches.
+    # It always succeed: either it sends requests to branches that
+    # can run 'scan-pr' (if the repo/branch contains this file) or
+    # skips sending the request.
+    needs: schedule-scan
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        type: ${{ fromJson(needs.schedule-scan.outputs.versions) }}
+      fail-fast: false
+    permissions:
+      actions: write
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7
+        with:
+          ref: ${{ matrix.type }}
+
+      - name: Trigger Vulnerability Scanning
+        env:
+          GH_TOKEN: ${{ github.token }}
+        if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }}
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \
+            -f "ref=${{ matrix.type }}"
+
+  scan-pr:
+    # run-scheduled-scan triggers this job
+    # PRs and pushes trigger this job
+    if: github.event_name != 'schedule'
+    permissions:
+      # Required to upload SARIF file to CodeQL.
+      # See: https://github.com/github/codeql-action/issues/2117
+      actions: read
+      # Require writing security events to upload SARIF file to security tab
+      security-events: write
+      # Only need to read contents
+      contents: read
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # ratchet:google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.5