Fix issues for the Security Scan Workflow (#51)

sachinh-amazon · web-flow · commit d7cd961ff3b9 · 2025-10-01T14:31:03.000+02:00
diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
@@ -5,7 +5,7 @@ env:
 
 on:
   # Trigger 1: PR created on main or version branches (*.*)
-  pull_request:
+  pull_request_target:
     branches:
       - main
       - '*.*'
@@ -36,21 +36,21 @@ jobs:
 
       - name: Determine branches for PR events
         id: determine-pr-branches
-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request_target'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HEAD_REF: ${{ github.head_ref }}
         run: |
           # For PR events, validate base branch and use head ref if valid
           base_ref="${{ github.base_ref }}"
-          head_ref="${{ github.head_ref }}"
           echo "Base branch: $base_ref"
-          echo "Head branch: $head_ref"
+          echo "Head branch: $HEAD_REF"
           
           if [[ "$base_ref" =~ ^[0-9]+\.[0-9]+$ ]] || [[ "$base_ref" == "main" ]]; then
             echo "Base branch matches allowed pattern (main or digit.digit)"
-            echo "branches=[\"$head_ref\"]" >> $GITHUB_OUTPUT
+            echo "branches=[\"$HEAD_REF\"]" >> $GITHUB_OUTPUT
             echo "output-branch-name=$base_ref" >> $GITHUB_OUTPUT
-            echo "Branches to scan: [$head_ref]"
+            echo "Branches to scan: [$HEAD_REF]"
             echo "Output files will use branch name: $base_ref"
           else
             echo "Base branch does not match allowed pattern - no branches to scan"
@@ -60,17 +60,17 @@ jobs:
 
       - name: Get all upstream branches
         id: get-upstream-branches
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request_target'
         run: |
           # Get main branch and all version branches (*.*)
-          branches=$(git branch -r | grep -E 'origin/(main|[0-9]+\.[0-9]+)' | sed 's/origin\///' | tr '\n' ' ')
+          branches=$(git branch -r | grep -E 'origin/(main|[0-9]+\.[0-9]+)$' | sed 's/origin\///' | tr '\n' ' ')
           echo "Found upstream branches: $branches"
           echo "upstream-branches=$branches" >> $GITHUB_OUTPUT
           echo "output-branch-name=scheduled" >> $GITHUB_OUTPUT
 
       - name: Get completed workflows from previous day
         id: get-completed-workflows
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request_target'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -94,7 +94,7 @@ jobs:
 
       - name: Check for successful scan artifacts from previous day
         id: check-scan-artifacts
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request_target'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -144,7 +144,7 @@ jobs:
 
       - name: Determine security scan branches for scheduled runs
         id: determine-scheduled-security-scan-branches
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request_target'
         run: |
           upstream_branches="${{ steps.get-upstream-branches.outputs.upstream-branches }}"
           successful_branches="${{ steps.check-scan-artifacts.outputs.successful-security-scan-branches }}"
@@ -181,7 +181,7 @@ jobs:
 
       - name: Determine global dependencies branches for scheduled runs
         id: determine-scheduled-global-dependencies-branches
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request_target'
         run: |
           upstream_branches="${{ steps.get-upstream-branches.outputs.upstream-branches }}"
           successful_branches="${{ steps.check-scan-artifacts.outputs.successful-global-dependencies-branches }}"
@@ -257,6 +257,7 @@ jobs:
           # security scan scripts. So we download the latest one from main
           echo "Downloading latest security-scan.sh script from main branch"
           curl -sSL "https://raw.githubusercontent.com/${{ github.repository }}/main/scripts/security-scan.sh" -o scripts/security-scan.sh
+          sudo chmod +x scripts/security-scan.sh
           echo "Updated security-scan.sh to latest version from main"
       
       - name: Set up environment
@@ -323,7 +324,7 @@ jobs:
       - name: Create Success Indicator File
         run: |
           # For PR events, use base_ref as output branch name, otherwise use actual branch
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
+          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
             output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}"
           else
             output_branch="${{ matrix.branch }}"
@@ -333,8 +334,8 @@ jobs:
       - name: Upload Success Indicator File
         uses: actions/upload-artifact@v4
         with:
-          name: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
-          path: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
+          name: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
+          path: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
           retention-days: 90
 
       - name: Publish Scan Successful Metric
@@ -379,7 +380,7 @@ jobs:
           targets=($(echo "$targets_json" | jq -r '.[]'))
           
           # For PR events, use base_ref as output branch name, otherwise use actual branch
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
+          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
             check_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}"
           else
             check_branch="${{ matrix.branch }}"
@@ -417,8 +418,8 @@ jobs:
         if: success()
         uses: actions/upload-artifact@v4
         with:
-          name: scan-success-branch-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
-          path: scan-success-branch-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
+          name: scan-success-branch-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
+          path: scan-success-branch-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
           retention-days: 90
   
   security-scan-global-dependencies:
@@ -461,6 +462,7 @@ jobs:
           # security scan scripts. So we download the latest one from main
           echo "Downloading latest security-scan.sh script from main branch"
           curl -sSL "https://raw.githubusercontent.com/${{ github.repository }}/main/scripts/security-scan.sh" -o scripts/security-scan.sh
+          sudo chmod +x scripts/security-scan.sh
           echo "Updated security-scan.sh to latest version from main"
       
       - name: Install Security Scan Dependencies
@@ -513,7 +515,7 @@ jobs:
       - name: Create Global Success Indicator File
         run: |
           # For PR events, use base_ref as output branch name, otherwise use actual branch
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
+          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
             output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}"
           else
             output_branch="${{ matrix.branch }}"
@@ -523,8 +525,8 @@ jobs:
       - name: Upload Global Success Indicator File
         uses: actions/upload-artifact@v4
         with:
-          name: global-scan-success-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
-          path: global-scan-success-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
+          name: global-scan-success-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
+          path: global-scan-success-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
           retention-days: 90
       
       - name: Publish Failure Metrics
