From 9153a312c3cfbbf21e18d6760866298ef4108bd0 Mon Sep 17 00:00:00 2001
From: Maarten Zuidhoorn <maarten@zuidhoorn.com>
Date: Fri, 7 Mar 2025 18:49:52 +0100
Subject: [PATCH 1/3] Update `MetaMask/action-security-code-scanner` and run as
 part of main workflow

---
 .github/workflows/main.yml                  | 12 ++++++++++++
 .github/workflows/security-code-scanner.yml | 16 ++++++++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c5698bc..42e2dd7 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -22,6 +22,18 @@ jobs:
         run: ${{ steps.download-actionlint.outputs.executable }} -color
         shell: bash
 
+  analyse-code:
+    name: Code scanner
+    needs: check-workflows
+    uses: ./.github/workflows/security-code-scanner.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    secrets:
+      SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
+      APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
+
   build-lint-test:
     name: Build, lint, and test
     uses: ./.github/workflows/build-lint-test.yml
diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml
index 6bb460d..a1b6f55 100644
--- a/.github/workflows/security-code-scanner.yml
+++ b/.github/workflows/security-code-scanner.yml
@@ -1,12 +1,12 @@
 name: MetaMask Security Code Scanner
 
 on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
+  workflow_call:
+    secrets:
+      SECURITY_SCAN_METRICS_TOKEN:
+        required: false
+      APPSEC_BOT_SLACK_WEBHOOK:
+        required: false
   workflow_dispatch:
 
 jobs:
@@ -17,8 +17,8 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - name: MetaMask Security Code Scanner
-        uses: MetaMask/Security-Code-Scanner@main
+      - name: Analyse code
+        uses: MetaMask/action-security-code-scanner@v1
         with:
           repo: ${{ github.repository }}
           paths_ignored: |

From 3fb5c51353581b45df6439bbb5e35d1594cb3e64 Mon Sep 17 00:00:00 2001
From: Maarten Zuidhoorn <maarten@zuidhoorn.com>
Date: Fri, 7 Mar 2025 18:52:24 +0100
Subject: [PATCH 2/3] Add name

---
 .github/workflows/security-code-scanner.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml
index a1b6f55..ababbbe 100644
--- a/.github/workflows/security-code-scanner.yml
+++ b/.github/workflows/security-code-scanner.yml
@@ -11,6 +11,7 @@ on:
 
 jobs:
   run-security-scan:
+    name: Run security scan
     runs-on: ubuntu-latest
     permissions:
       actions: read

From 107d96e4b87db97d9c2f3755278a1253daee2528 Mon Sep 17 00:00:00 2001
From: Maarten Zuidhoorn <maarten@zuidhoorn.com>
Date: Fri, 7 Mar 2025 18:53:56 +0100
Subject: [PATCH 3/3] Add code scanner as requirement for all-jobs-completed

---
 .github/workflows/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 42e2dd7..21493f8 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -43,6 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - check-workflows
+      - analyse-code
       - build-lint-test
     outputs:
       PASSED: ${{ steps.set-output.outputs.PASSED }}