Vuln scan on 3p deps triggered by label on PR (#42247)

sealesj · web-flow · commit 15d28bb59822 · 2023-05-23T18:42:21.000Z
This change allows for anyone submitting a PR which resolves a vulnerability found from the scanning action to be run on the PR to check for resolution if the label 'vulnerability patch' is applied to the PR. *List which issues are fixed by this PR. You must list at least one issue.* b/283970087 *If you had to change anything in the [flutter/tests] repo, include a link to the migration guide as per the [breaking change policy].* [C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
diff --git a/.github/workflows/third_party_scan.yml b/.github/workflows/third_party_scan.yml
@@ -4,6 +4,8 @@ on:
   branch_protection_rule:
   push:
     branches: [ main ]
+  pull_request:
+    types: [ labeled ]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -12,7 +14,9 @@ jobs:
   vuln-scan:
     name: Vulnerability scanning
     runs-on: ubuntu-20.04
-    if: ${{ github.repository == 'flutter/engine' }}
+    # run on flutter/engine push to main or PRs with 'vulnerability patch' label 
+    if: ${{  github.repository == 'flutter/engine' && (github.event_name == 'push' || github.event.label.name == 'vulnerability patch') }}
+
     permissions:
       # Needed to upload the SARIF results to code-scanning dashboard.
       security-events: write
