From c830a47c3e082c1c1b140bf539551511a3a09700 Mon Sep 17 00:00:00 2001
From: GeoDerp <18461782+GeoDerp@users.noreply.github.com>
Date: Sat, 1 Feb 2025 10:21:56 +0000
Subject: [PATCH] fix(actions): fix osv action in code quality

---
 .github/workflows/code-quality.yml | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index 7bc01d53..e36b642e 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -9,6 +9,11 @@ on:
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         os: [ubuntu-latest]
@@ -30,14 +35,6 @@ jobs:
 
       - name: Run Ruff
         run: ruff check --output-format=github .
-      
-      - name: OSV scan
-        uses: "geoderp/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v0.0.1"
-        with:
-          fail-on-vuln: false
-          scan-args: |-
-            --recursive
-            ./
      
       # - name: Type Check with Mypy
       #   shell: bash
@@ -47,4 +44,17 @@ jobs:
       - name: SonarQube Scan
         uses: SonarSource/sonarqube-scan-action@v4
         env: 
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
\ No newline at end of file
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  scan-pr:
+    needs:
+      - build
+    uses: "geoderp/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v0.0.1"
+    with:
+      fail-on-vuln: false
+      scan-args: |-
+        --recursive
+        ./
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
\ No newline at end of file