.github/workflows/osv-scanner-reusable-pr.yml

@@ -56,7 +56,7 @@ jobs:
       - name: "Checkout target branch"
         run: git checkout $GITHUB_BASE_REF
       - name: "Run scanner on existing code"
-        uses: google/osv-scanner-action/osv-scanner-action@01ff5d1fb3f81ce02671051bcbef67347b5c6200 # v1.8.3
+        uses: google/osv-scanner-action/osv-scanner-action@fa6b69996424da9c1cebadc9bf67a02010433218 # v1.8.4
         continue-on-error: true
         with:
           scan-args: |-
@@ -66,15 +66,15 @@ jobs:
       - name: "Checkout current branch"
         run: git checkout $GITHUB_SHA
       - name: "Run scanner on new code"
-        uses: google/osv-scanner-action/osv-scanner-action@01ff5d1fb3f81ce02671051bcbef67347b5c6200 # v1.8.3
+        uses: google/osv-scanner-action/osv-scanner-action@fa6b69996424da9c1cebadc9bf67a02010433218 # v1.8.4
         with:
           scan-args: |-
             --format=json
             --output=new-results.json
             ${{ inputs.scan-args }}
         continue-on-error: true
       - name: "Run osv-scanner-reporter"
-        uses: google/osv-scanner-action/osv-reporter-action@01ff5d1fb3f81ce02671051bcbef67347b5c6200 # v1.8.3
+        uses: google/osv-scanner-action/osv-reporter-action@fa6b69996424da9c1cebadc9bf67a02010433218 # v1.8.4
         with:
           scan-args: |-
             --output=${{ inputs.results-file-name }}

.github/workflows/osv-scanner-reusable.yml

@@ -64,15 +64,15 @@ jobs:
           name: "${{ inputs.download-artifact }}"
           path: "./"
       - name: "Run scanner"
-        uses: google/osv-scanner-action/osv-scanner-action@01ff5d1fb3f81ce02671051bcbef67347b5c6200 # v1.8.3
+        uses: google/osv-scanner-action/osv-scanner-action@fa6b69996424da9c1cebadc9bf67a02010433218 # v1.8.4
         with:
           scan-args: |-
             --output=results.json
             --format=json
             ${{ inputs.scan-args }}
         continue-on-error: true
       - name: "Run osv-scanner-reporter"
-        uses: google/osv-scanner-action/osv-reporter-action@01ff5d1fb3f81ce02671051bcbef67347b5c6200 # v1.8.3
+        uses: google/osv-scanner-action/osv-reporter-action@fa6b69996424da9c1cebadc9bf67a02010433218 # v1.8.4
         with:
           scan-args: |-
             --output=${{ inputs.results-file-name }}

.github/workflows/osv-scanner-unified-workflow.yml

@@ -35,7 +35,7 @@ permissions:
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6bd271cb6a4c61522812ff2e7f7719cadf74f685" # v1.8.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@712a57b5f042cd42c534f88b387f93fcec14394a" # v1.8.4
     with:
       # Example of specifying custom arguments
       scan-args: |-
@@ -44,7 +44,7 @@ jobs:
         ./
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6bd271cb6a4c61522812ff2e7f7719cadf74f685" # v1.8.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@712a57b5f042cd42c534f88b387f93fcec14394a" # v1.8.4
     with:
       # Example of specifying custom arguments
       scan-args: |-

README.md

@@ -1,6 +1,6 @@
 # OSV-Scanner CI/CD Action
 
-[![Release v1.8.3](https://img.shields.io/badge/release-v1.8.3-blue?style=flat)](https://github.com/google/osv-scanner-action/releases)
+[![Release v1.8.4](https://img.shields.io/badge/release-v1.8.4-blue?style=flat)](https://github.com/google/osv-scanner-action/releases)
 <!-- Hard coded release version -->
 
 The OSV-Scanner CI/CD action leverages the [OSV.dev](https://osv.dev/) database and the [OSV-Scanner](https://google.github.io/osv-scanner/) CLI tool to track and notify you of known vulnerabilities in your dependencies for over 11 [languages and ecosystems](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/).

osv-reporter-action/action.yml

@@ -22,7 +22,7 @@ inputs:
     required: true
 runs:
   using: "docker"
-  image: "docker://ghcr.io/google/osv-scanner-action:v1.8.3"
+  image: "docker://ghcr.io/google/osv-scanner-action:v1.8.4"
   entrypoint: /root/osv-reporter
   args:
     - "${{ inputs.scan-args }}"

osv-scanner-action/action.yml

@@ -25,6 +25,6 @@ inputs:
       ./
 runs:
   using: "docker"
-  image: "docker://ghcr.io/google/osv-scanner-action:v1.8.3"
+  image: "docker://ghcr.io/google/osv-scanner-action:v1.8.4"
   args:
     - ${{ inputs.scan-args }}

renovate.json

@@ -24,6 +24,10 @@
         ".github/**"
       ],
       "groupName": "workflows"
+    },
+    {
+      "matchPackageNames": ["google/osv-scanner-action"],
+      "enabled": false
     }
   ]
 }

update-script.py

@@ -0,0 +1,117 @@
+#!/usr/bin/env python3
+
+"""
+Performs the three git commit required to do a release. See help output for more details.
+"""
+
+import subprocess
+import re
+import sys
+
+
+def cmd(command: list[str]) -> str:
+    print('$ ' + ' '.join(command))
+    process = subprocess.run(command, capture_output=True, text=True)
+    if process.returncode != 0:
+        print('failed to run above command, got exit code: %d', process.returncode)
+        print('stderr: ' + process.stderr.strip())
+        exit(process.returncode)
+
+    output = process.stdout.strip()
+    print('# ' + output)
+    return output
+
+
+def find_and_replace_regex_in_file(file_path: str, find_regex: str,
+                                   replace: str):
+
+    print(f'Performing find and replace on "{file_path}": s/{find_regex}/{replace}')
+    # Read in the file
+    with open(file_path, 'r') as file:
+        filedata = file.read()
+
+    filedata = re.sub(find_regex, replace, filedata)
+
+    # Write the file out again
+    with open(file_path, 'w') as file:
+        file.write(filedata)
+
+
+def print_help():
+    print('''update-script.py <target-tag>
+
+Performs a series of git merges to update all references of the previous version to the specified tag of osv-scanner. This script expects upstream remote to be named `upstream`
+1. Fetch upstream main branch
+2. Create new branch on the most recent version tag (the last release commit)
+3. Update references to the old osv-scanner tag to the new tag, and make the first commit
+4. Update references to the old .github/workflows/osv-scanner-reusable.yml version to the newly made commit in the last step. Make the second commit.
+5. Finally update the unified workflow to point to the commit made in step 4, perform the third commit.
+
+After this script is complete, push the new branch and create a PR. This PR must be merged via a normal git merge commit, NOT a squash commit.
+Then create the new release tag on this merged PR commit.''')
+
+
+if len(sys.argv) != 2:
+    print_help()
+    exit()
+
+target_tag = sys.argv[1]
+if not target_tag.startswith('v'):
+    print_help()
+    print('Target tag needs to begin with v')
+    exit()
+
+cmd(['git', 'fetch', 'upstream'])
+print("fetched and checkout upstream/main")
+
+lastest_tag = cmd(['git', 'describe', '--tags', '--abbrev=0'])
+branch_name = cmd(['git', 'branch', '--show-current'])
+
+cmd(['git', 'checkout', '-b', 'update-to-' + target_tag, 'upstream/main'])
+
+find_and_replace_regex_in_file('osv-reporter-action/action.yml',
+                               re.escape(lastest_tag), target_tag)
+find_and_replace_regex_in_file('osv-scanner-action/action.yml',
+                               re.escape(lastest_tag), target_tag)
+find_and_replace_regex_in_file('README.md', re.escape(lastest_tag), target_tag)
+
+cmd([
+    'git', 'commit', '-a', '-m',
+    f'Update actions to use {target_tag} osv-scanner image'
+])
+
+first_commit_hash = cmd(['git', 'rev-parse', 'HEAD'])
+print('First commit hash: ' + first_commit_hash)
+
+find_and_replace_regex_in_file(
+    '.github/workflows/osv-scanner-reusable.yml',
+    'uses: google/osv-scanner-action/osv-(.*?)-action@.*? # .*',
+    f'uses: google/osv-scanner-action/osv-\\1-action@{first_commit_hash} # {target_tag}'
+)
+
+find_and_replace_regex_in_file(
+    '.github/workflows/osv-scanner-reusable-pr.yml',
+    'uses: google/osv-scanner-action/osv-(.*?)-action@.*? # .*',
+    f'uses: google/osv-scanner-action/osv-\\1-action@{first_commit_hash} # {target_tag}'
+)
+
+cmd([
+    'git', 'commit', '-a', '-m',
+    f'Update reusable workflows to point to {target_tag} actions'
+])
+
+second_commit_hash = cmd(['git', 'rev-parse', 'HEAD'])
+print('Second commit hash: ' + second_commit_hash)
+
+find_and_replace_regex_in_file(
+    '.github/workflows/osv-scanner-unified-workflow.yml',
+    'uses: "google/osv-scanner-action/\\.github/workflows/osv-scanner-reusable(.*?)@.*?" # .*',
+    f'uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable\\1@{second_commit_hash}" # {target_tag}'
+)
+
+cmd([
+    'git', 'commit', '-a', '-m',
+    f'Update unified workflow example to point to {target_tag} reusable workflows'
+])
+
+print('Success!')