diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index c637089..163f91d 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -14,6 +14,9 @@ jobs: build: uses: ./.github/workflows/build.yml + scan: + uses: ./.github/workflows/scan.yml + pull-request: needs: build name: Pull request success diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 0000000..36a8202 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,25 @@ +name: "Security vulnerability scan" + +on: + workflow_call: + inputs: + ref: + description: Branch, tag or SHA to scan. + type: string + required: false + default: "" + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: stable + check-latest: true + - name: Scan + run: make scan diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 1eb6777..6c1e6e8 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -6,14 +6,18 @@ on: workflow_dispatch: jobs: - scan: + latest-release-version: + name: Get latest release tag runs-on: ubuntu-latest + outputs: + tag_name: ${{ steps.tag-name.outputs.value }} steps: - - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: stable - check-latest: true - - name: Scan - run: make scan + - id: tag-name + run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}" + + scan: + name: Scan ${{ needs.latest-release-version.outputs.tag_name }} + needs: latest-release-version + uses: ./.github/workflows/scan.yml + with: + ref: ${{ needs.latest-release-version.outputs.tag_name }}