Skip to content
OSV-Scanner

feat: Enable FA (flake8-annotations) linter rules to enforce comprehensive type annotations across the codebase #9678

Sign in to view logs

feat: Enable FA (flake8-annotations) linter rules to enforce comprehensive type annotations across the codebase

feat: Enable FA (flake8-annotations) linter rules to enforce comprehensive type annotations across the codebase #9678

Workflow file for this run

.github/workflows/osv-scanner.yml at 7db09b0
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner
on:
pull_request:
branches: [ "main" ]
merge_group:
branches: [ "main" ]
schedule:
- cron: '43 20 * * 3'
push:
branches: [ "main" ]
permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Read commit contents
contents: read
actions: read
jobs:
scan-scheduled:
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f" # v2.0.1
with:
# Example of specifying custom arguments
scan-args: |-
-r
./
scan-pr:
if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f" # v2.0.1
with:
# Example of specifying custom arguments
scan-args: |-
-r
./
prepare-container-matrix:
name: Discover Dockerfiles
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Checkout the revision
uses: actions/checkout@v6
with:
lfs: false
fetch-depth: 0 # Need full history for git diff
- name: Find Dockerfiles to scan
id: set-matrix
run: |
# For PR: only scan changed Dockerfiles
# For schedule/push: scan all Dockerfiles
if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "merge_group" ]; then
echo "Scanning only changed Dockerfiles in PR"
DOCKERFILES=$(git diff --name-only --diff-filter=ACMR origin/${{ github.base_ref }}...HEAD | grep '^docker/.*\.dockerfile$' || true)
else
echo "Scanning all Dockerfiles"
DOCKERFILES=$(find docker -type f -name "*.dockerfile")
fi
# Build JSON matrix
MATRIX_JSON=$(echo "$DOCKERFILES" | jq -R -s -c '
split("\n") |
map(select(length > 0)) |
map({
name: (split("/")[-1] | split(".dockerfile")[0]),
dockerfile: .,
context: "docker"
}) |
{include: .}
')
echo "Found Dockerfiles matrix:"
echo "$MATRIX_JSON" | jq .
echo "matrix=$MATRIX_JSON" >> $GITHUB_OUTPUT
scan-containers:
name: Scan Container Images
runs-on: ubuntu-latest
needs: prepare-container-matrix
if: needs.prepare-container-matrix.outputs.matrix != '{"include":[]}'
strategy:
matrix: ${{ fromJson(needs.prepare-container-matrix.outputs.matrix) }}
fail-fast: false
steps:
- name: Checkout the revision
uses: actions/checkout@v6
with:
lfs: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
uses: docker/build-push-action@v6
with:
context: ${{ matrix.context }}
file: ${{ matrix.dockerfile }}
platforms: linux/amd64
tags: backendai-${{ matrix.name }}:scan
load: true
cache-from: type=gha,scope=${{ matrix.name }}
cache-to: type=gha,mode=max,scope=${{ matrix.name }}
- name: Run OSV Scanner on Docker image
uses: google/osv-scanner-action/osv-scanner-action@6fc714450122bda9d00e4ad5d639ad6a39eedb1f # v2.0.1
with:
scan-args: |-
--format sarif
--docker backendai-${{ matrix.name }}:scan
continue-on-error: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarif
category: container-${{ matrix.name }}