From 733739e295d1534e842d2c6f1fee15fe283f18ad Mon Sep 17 00:00:00 2001
From: Jesse Seales <103135467+sealesj@users.noreply.github.com>
Date: Fri, 2 Jun 2023 09:42:07 -0400
Subject: [PATCH] Allow for optional label to trigger vuln scan on patch PRs
 (flutter/engine#42494)

This change introduces the ability to allow for the vulnerability scanning workflow to be triggered by the 'vulnerability scan' label on PRs. If the label is not applied, the workflow is skipped completely on PRs. This will allow those working to patch a vulnerability to check for resolution before landing the change.

Testing this change: https://github.com/flutter/engine/actions/runs/5059129544

b/283970087

*If you had to change anything in the [flutter/tests] repo, include a link to the migration guide as per the [breaking change policy].*

[C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
---
 engine/src/flutter/.github/workflows/third_party_scan.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/engine/src/flutter/.github/workflows/third_party_scan.yml b/engine/src/flutter/.github/workflows/third_party_scan.yml
index 7e50fbb8eb..80724463d2 100644
--- a/engine/src/flutter/.github/workflows/third_party_scan.yml
+++ b/engine/src/flutter/.github/workflows/third_party_scan.yml
@@ -4,6 +4,8 @@ on:
   branch_protection_rule:
   push:
     branches: [ main ]
+  pull_request:
+    types: [ labeled ]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -12,7 +14,8 @@ jobs:
   vuln-scan:
     name: Vulnerability scanning
     runs-on: ubuntu-20.04
-    if: ${{ github.repository == 'flutter/engine' }}
+    # run on flutter/engine push to main or PRs with 'vulnerability patch' label 
+    if: ${{  github.repository == 'flutter/engine' && (github.event_name == 'push' || github.event.label.name == 'vulnerability scan') }}
     permissions:
       # Needed to upload the SARIF results to code-scanning dashboard.
       security-events: write