From 80e50c64c798968c4028d7604f8a9f91d71642f2 Mon Sep 17 00:00:00 2001
From: "Mark S. Lewis" <Mark.S.Lewis@outlook.com>
Date: Mon, 14 Oct 2024 10:29:16 +0100
Subject: [PATCH] Run vulnerability scan on latest release version

Previously the scan ran on the current state of the codebase. This fails
to identify vulnerabilities in dependencies for the latest release
version if those dependencies have already been updated in the
development codebase. The gating factor for whether a new release is
required should be whether the previous release contains
vulnerabilities.

This change runs the scheduled vulnerability scan on the latest release
tag. It also adds vulnerability scanning to pull request builds. This is
purely informational. A scan failure does not fail the pull request
build.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
---
 .github/workflows/pull_request.yml       |  3 +++
 .github/workflows/scan.yml               | 23 +++++++++++++++++++++++
 .github/workflows/vulnerability-scan.yml | 22 +++++++++++++---------
 3 files changed, 39 insertions(+), 9 deletions(-)
 create mode 100644 .github/workflows/scan.yml

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index c637089..163f91d 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -14,6 +14,9 @@ jobs:
   build:
     uses: ./.github/workflows/build.yml
 
+  scan:
+    uses: ./.github/workflows/scan.yml
+
   pull-request:
     needs: build
     name: Pull request success
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 0000000..601727e
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,23 @@
+name: "Security vulnerability scan"
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: Branch, tag or SHA to scan.
+        type: string
+        required: false
+        default: ""
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          check-latest: true
+      - name: Scan
+        run: make scan
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
index 1eb6777..6c1e6e8 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/vulnerability-scan.yml
@@ -6,14 +6,18 @@ on:
   workflow_dispatch:
 
 jobs:
-  scan:
+  latest-release-version:
+    name: Get latest release tag
     runs-on: ubuntu-latest
+    outputs:
+      tag_name: ${{ steps.tag-name.outputs.value }}
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-          check-latest: true
-      - name: Scan
-        run: make scan
+      - id: tag-name
+        run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"
+
+  scan:
+    name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
+    needs: latest-release-version
+    uses: ./.github/workflows/scan.yml
+    with:
+      ref: ${{ needs.latest-release-version.outputs.tag_name }}