From 491762716019ae9fb519810fef8854c3d18053b7 Mon Sep 17 00:00:00 2001
From: shaed-parkar <41630528+shaed-parkar@users.noreply.github.com>
Date: Fri, 29 Nov 2024 09:50:54 +0000
Subject: [PATCH] VIH-11085 Add OSV Scanner GitHub action (#1452)

* VIH-11085 Add OSV Scanner GitHub action

* Create launch-darkly-flag-sync.yml
---
 .github/workflows/launch-darkly-flag-sync.yml | 22 +++++++++++++++++++
 .github/workflows/osv-scanner-pr.yml          | 20 +++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 .github/workflows/launch-darkly-flag-sync.yml
 create mode 100644 .github/workflows/osv-scanner-pr.yml

diff --git a/.github/workflows/launch-darkly-flag-sync.yml b/.github/workflows/launch-darkly-flag-sync.yml
new file mode 100644
index 000000000..89dd79f0c
--- /dev/null
+++ b/.github/workflows/launch-darkly-flag-sync.yml
@@ -0,0 +1,22 @@
+name: Find LaunchDarkly flag code references
+on: push
+# cancel in-flight workflow run if another push was triggered
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  launchDarklyCodeReferences:
+    name: LaunchDarkly Code References
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 11 # This value must be set if the lookback configuration option is not disabled for find-code-references. Read more: https://github.com/launchdarkly/ld-find-code-refs#searching-for-unused-flags-extinctions
+      - name: LaunchDarkly Code References
+        uses: launchdarkly/find-code-references@v2
+        with:
+          accessToken: ${{ secrets.LD_SERVICE_TOKEN }}
+          projKey: VH
+          debug: true
+          prune: true
diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml
new file mode 100644
index 000000000..330b70a4e
--- /dev/null
+++ b/.github/workflows/osv-scanner-pr.yml
@@ -0,0 +1,20 @@
+name: OSV-Scanner PR Scan
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+    branches: [master]
+  merge_group:
+    branches: [master]
+
+permissions:
+  # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
+  actions: read
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents
+  contents: read
+
+jobs:
+  scan-pr:
+    uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.5'