Fix OSV-Scanner

Use the reusable workflow instead of actions directly,
as recommended.

Signed-off-by: erjavaskivuori <[email protected]>

Author: erjavaskivuori

.github/workflows/osv-scanner-scan.yml

@@ -0,0 +1,72 @@
+# runs vulnerability scans and add them to Github Security tab
+
+name: OSV-Scanner Scheduled
+
+on:
+  workflow_dispatch:
+  schedule:
+  - cron: "12 6 * * *"
+  pull_request:
+    paths:
+    - ".github/workflows/osv-scanner-scan.yml"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write # for uploading SARIF files
+
+jobs:
+  set-go-version:
+    name: Set up Go version
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Calculate go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> "${GITHUB_OUTPUT}"
+    - name: Set up Go
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    - name: Create config.toml
+      run: echo "GoVersionOverride = \"${{ steps.vars.outputs.go_version }}\"" > config.toml
+    - name: Upload config.toml
+      uses: actions/upload-artifact@v4
+      with:
+        name: calculated-go-version
+        path: ./config.toml
+
+  scan-scheduled:
+    name: Run OSV Scanner
+    needs: set-go-version
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+    with:
+      download-artifact: calculated-go-version
+      scan-args: |-
+        --config=./config.toml
+        --fail-on-vuln=false
+
+  check-and-notify:
+    name: Check vulnerabilities and notify
+    needs: [set-go-version, scan-scheduled]
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: SARIF file
+      - name: Check for vulnerabilities in SARIF
+        id: check
+        run: |
+          HAS_VULN=$(jq '[.runs[].results[]] | length > 0' results.sarif)
+          echo "has_vulnerabilities=$HAS_VULN" >> $GITHUB_OUTPUT
+      - name: Slack Notification on Vulnerability or Failure
+        if: ${{ steps.check.outputs.has_vulnerabilities == 'true' || contains(needs.*.result, 'failure') }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3
+        env:
+          SLACK_TITLE: "OSV-Scanner failed or detected vulnerabilities in ${{ github.repository }}"
+          SLACK_COLOR: "#FF0000"
+          SLACK_MESSAGE: "OSV-Scanner failed or detected vulnerabilities in ${{ github.repository }}"
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_CHANNEL: metal3-github-actions-notify
+          SLACK_USERNAME: metal3-github-actions-notify