Allow for optional label to trigger vuln scan on patch PRs (flutter/engine#42494)

This change introduces the ability to allow for the vulnerability scanning workflow to be triggered by the 'vulnerability scan' label on PRs. If the label is not applied, the workflow is skipped completely on PRs. This will allow those working to patch a vulnerability to check for resolution before landing the change. Testing this change: https://github.com/flutter/engine/actions/runs/5059129544 b/283970087 *If you had to change anything in the [flutter/tests] repo, include a link to the migration guide as per the [breaking change policy].* [C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
2023-06-02 09:42:07 -04:00
parent 9da257510a
commit 733739e295
1 changed files with 4 additions and 1 deletions
--- a/engine/src/flutter/.github/workflows/third_party_scan.yml
+++ b/engine/src/flutter/.github/workflows/third_party_scan.yml
@@ -4,6 +4,8 @@ on:
  branch_protection_rule:
  push:
    branches: [ main ]
+  pull_request:
+    types: [ labeled ]

 # Declare default permissions as read only.
 permissions: read-all
@@ -12,7 +14,8 @@ jobs:
  vuln-scan:
    name: Vulnerability scanning
    runs-on: ubuntu-20.04
-    if: ${{ github.repository == 'flutter/engine' }}
+    # run on flutter/engine push to main or PRs with 'vulnerability patch' label 
+    if: ${{  github.repository == 'flutter/engine' && (github.event_name == 'push' || github.event.label.name == 'vulnerability scan') }}
    permissions:
      # Needed to upload the SARIF results to code-scanning dashboard.
      security-events: write