# This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. # A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities, # in addition to a PR check which fails if new vulnerabilities are introduced. # # For more examples and options, including how to ignore specific vulnerabilities, # see https://google.github.io/osv-scanner/github-action/ # Security vulnerability scanning for Donut Browser # Scans dependencies in package managers (npm/pnpm, Cargo) for known vulnerabilities # Runs on schedule and when dependencies change name: Security Vulnerability Scan on: pull_request: branches: ["main"] paths: - "package.json" - "pnpm-lock.yaml" - "src-tauri/Cargo.toml" - "src-tauri/Cargo.lock" - ".github/workflows/osv.yml" merge_group: branches: ["main"] schedule: # Run weekly on Tuesdays at 2:20 PM UTC - cron: "20 14 * * 2" push: branches: ["main"] paths: - "package.json" - "pnpm-lock.yaml" - "src-tauri/Cargo.toml" - "src-tauri/Cargo.lock" permissions: security-events: write contents: read actions: read jobs: scan-scheduled: name: Scheduled Security Scan if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5 with: scan-args: |- -r --skip-git --lockfile=pnpm-lock.yaml --lockfile=src-tauri/Cargo.lock ./ scan-pr: name: PR Security Scan if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5 with: scan-args: |- -r --skip-git --lockfile=pnpm-lock.yaml --lockfile=src-tauri/Cargo.lock ./