name: OSV-Scanner

# Scans lockfiles (uv.lock, package-lock.json) against the OSV vulnerability
# database. Runs on every PR/push (via the ci.yml orchestrator's workflow_call)
# and on a weekly schedule against main.
#
# This is detection-only — OSV-Scanner does NOT open PRs or modify pins.
# It reports known CVEs in currently-pinned dependency versions so we can
# decide when and how to patch on our own schedule. Our pinning strategy
# (full SHA / exact version) is preserved; only the notification signal
# is added.
#
# Complements the supply-chain-audit.yml workflow (which scans for malicious
# code patterns in PR diffs) by covering the orthogonal "currently-pinned
# dep became known-vulnerable" case.
#
# Uses Google's officially-recommended reusable workflow, pinned by SHA.
# Findings land in the repo's Security tab (Code Scanning > OSV-Scanner).
# fail-on-vuln is disabled so the job does not block merges on pre-existing
# vulnerabilities in pinned deps that we may need to patch deliberately.

on:
  workflow_call:
  schedule:
    # Weekly scan against main — catches CVEs published after merge for
    # deps that haven't changed since.
    - cron: "0 9 * * 1"
  workflow_dispatch:

permissions:
  # Required by the reusable workflow to upload SARIF to the Security tab.
  actions: read
  contents: read
  security-events: write

jobs:
  scan:
    name: Scan lockfiles
    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
    with:
      # Scan explicit lockfiles rather than recursing, so we only look at
      # the three sources of truth and skip vendored / test / worktree dirs.
      scan-args: |-
        --lockfile=uv.lock
        --lockfile=package-lock.json
        --lockfile=website/package-lock.json
      fail-on-vuln: false