Merge pull request #10206 from kikofernandez/kiko/fix-scanner-issue-creation/OTP-19775

kikofernandez · web-flow · commit 8eb8e1db8ed6 · 2025-09-16T17:32:02.000+02:00
Fixes to the vendor vulnerability scanner

OTP-19775
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -475,15 +475,14 @@ jobs:
   # this is a call to a workflow_call
   pr-vendor-vulnerability-analysis:
     needs: modified-vendor-files
-    if: ${{ needs.modified-vendor-files.outputs.vendor-files == 'true' && github.event_name == 'pull_request'}}
+    if: ${{ needs.modified-vendor-files.outputs.vendor-files == 'true' && github.event_name == 'pull_request' && github.repository == 'erlang/otp'}}
     permissions:
-      security-events: read
-      issues: write
+      actions: read
     name: Vendor Vulnerability Scanning
     uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml
     with:
-      fail_if_cve: false
-      checkout: false
+      fail_if_cve: true
+      checkout: true
       version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
       # equivalent of ${{ env.BASE_BRANCH }} but reusable-workflows do not allow to pass env.
     secrets: inherit
diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
@@ -57,11 +57,7 @@ jobs:
         type: ${{ fromJson(needs.schedule-scan.outputs.versions) }}
       fail-fast: false
     permissions:
-      security-events: read
-      issues: write
-      actions: write
-      contents: write
-      pull-requests: write
+      actions: read
     steps:
       # this call to a workflow_dispatch ref=master is important because
       # using ref={{matrix.type}} would trigger the workflow
diff --git a/.github/workflows/reusable-vendor-vulnerability-scanner.yml b/.github/workflows/reusable-vendor-vulnerability-scanner.yml
@@ -51,7 +51,7 @@ on:
         default: 'master'
         type: 'string'
       fail_if_cve:
-        description: 'Fail if CVE is found'
+        description: 'Fail if CVE is found and create issue'
         required: true
         default: false
         type: boolean
@@ -72,7 +72,7 @@ on:
         default: 'master'
         type: 'string'
       fail_if_cve:
-        description: 'Fail if CVE is found'
+        description: 'Fail if CVE is found and create issue'
         required: true
         default: false
         type: boolean
@@ -92,8 +92,7 @@ jobs:
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     permissions:
-      security-events: read
-      issues: write
+      actions: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
         with:
@@ -103,8 +102,14 @@ jobs:
         with:
           otp-version: '28'
 
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # ratchet:actions/create-github-app-token@v2.1.4
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.ERLANG_VENDOR_SCANNER_APP_ID }}
+          private-key: ${{ secrets.ERLANG_VENDOR_SCANNER_BOT_PRIVATE_KEY }}
+
       - name: 'Analysis of dependencies from OpenVEX in ${{ inputs.version }}'
-        id: analysis
         run: |
           curl -L \
                -H "Accept: application/vnd.github+json" \
@@ -115,6 +120,6 @@ jobs:
           chmod +x otp-compliance.es
           cp otp-compliance.es /home/runner/work/otp/otp/.github/scripts/otp-compliance.es
           cd /home/runner/work/otp/otp && \
-          .github/scripts/otp-compliance.es sbom osv-scan \
+          GH_TOKEN="${{ steps.app-token.outputs.token }}" .github/scripts/otp-compliance.es sbom osv-scan \
                --version ${{ inputs.version }} \
                --fail_if_cve ${{ inputs.fail_if_cve }}
