From e50360bc63c326cbe4a474ca9693d2aad8236cf3 Mon Sep 17 00:00:00 2001
From: Trevor Whitney <trevorjwhitney@gmail.com>
Date: Wed, 15 Nov 2023 16:04:29 -0700
Subject: [PATCH 1/4] Do not run vulnerability scans on forks

---
 .github/workflows/vulnerability-scan.yml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
index ddbb926c07057..869a89acd2d07 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/vulnerability-scan.yml
@@ -3,15 +3,13 @@ on: pull_request
 
 permissions:
   pull-requests: write
-  contents: write
+  issues: write
 
 jobs:
   snyk:
     name: Snyk Scan
     runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     steps:
       - name: Checkout code
         uses: actions/checkout@master
@@ -50,9 +48,7 @@ jobs:
   trivy:
     name: Trivy Scan
     runs-on: ubuntu-20.04
-    permissions:
-      issues: write
-      pull-requests: write
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

From ca32cb83fb7ae4401288e92c04af0aafd844f090 Mon Sep 17 00:00:00 2001
From: Trevor Whitney <trevorjwhitney@gmail.com>
Date: Wed, 15 Nov 2023 16:15:57 -0700
Subject: [PATCH 2/4] test without snyk token

---
 .github/workflows/vulnerability-scan.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
index 869a89acd2d07..af474b267b72d 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/vulnerability-scan.yml
@@ -16,8 +16,6 @@ jobs:
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/golang@master
         continue-on-error: true # To make sure that PR comment is made
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           command: test
           args: --severity-threshold=high --json-file-output=snyk.json

From 7577e3c64c9e32dccac33345679ee26a7d05e5a2 Mon Sep 17 00:00:00 2001
From: Trevor Whitney <trevorjwhitney@gmail.com>
Date: Thu, 16 Nov 2023 10:44:05 -0700
Subject: [PATCH 3/4] split up trivy and snyk pr comment workflows

---
 .github/workflows/snyk-pr-comment.yml         | 45 +++++++++++++++++++
 ...rability-scan.yml => trivy-pr-comment.yml} | 40 +----------------
 2 files changed, 46 insertions(+), 39 deletions(-)
 create mode 100644 .github/workflows/snyk-pr-comment.yml
 rename .github/workflows/{vulnerability-scan.yml => trivy-pr-comment.yml} (52%)

diff --git a/.github/workflows/snyk-pr-comment.yml b/.github/workflows/snyk-pr-comment.yml
new file mode 100644
index 0000000000000..5f151fd932961
--- /dev/null
+++ b/.github/workflows/snyk-pr-comment.yml
@@ -0,0 +1,45 @@
+name: PR Vulnerability Scan
+on: pull_request
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  snyk:
+    name: Snyk Scan
+    runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@master
+        continue-on-error: true # To make sure that PR comment is made
+        with:
+          command: test
+          args: --severity-threshold=high --json-file-output=snyk.json
+
+      - name: Prepare Snyk message
+        run: |
+          echo "Snyk scan found the following vulnerabilities:" > snyk.txt
+
+      - name: Format Snyk Message
+        uses: sergeysova/jq-action@v2
+        continue-on-error: true
+        with:
+          cmd: jq -r  '.vulnerabilities[] | "* **\(.severity)** - [\(.identifiers.CVE[0])] \(.title) in `\(.moduleName)` v\(.version). Fixed in \(.fixedIn)"' snyk.json >> snyk.txt
+
+      - name: Determine whether to comment
+        continue-on-error: true
+        id: should-comment
+        run: |
+          if [[ $(wc -l < snyk.txt) -gt 1 ]]; then exit 0; fi
+          exit 1
+
+      - name: Comment on PR with Snyk scan results
+        uses: mshick/add-pr-comment@v2
+        if: ${{ steps.should-comment.outcome == 'success' }}
+        with:
+          message-id: snyk-${{ github.event.number }}
+          message-path: snyk.txt
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/trivy-pr-comment.yml
similarity index 52%
rename from .github/workflows/vulnerability-scan.yml
rename to .github/workflows/trivy-pr-comment.yml
index af474b267b72d..c57264a790bcd 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/trivy-pr-comment.yml
@@ -1,52 +1,14 @@
 name: PR Vulnerability Scan
-on: pull_request
+on: pull_request_target
 
 permissions:
   pull-requests: write
   issues: write
 
 jobs:
-  snyk:
-    name: Snyk Scan
-    runs-on: ubuntu-latest
-    if: ${{ !github.event.pull_request.head.repo.fork }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/golang@master
-        continue-on-error: true # To make sure that PR comment is made
-        with:
-          command: test
-          args: --severity-threshold=high --json-file-output=snyk.json
-
-      - name: Prepare Snyk message
-        run: |
-          echo "Snyk scan found the following vulnerabilities:" > snyk.txt
-
-      - name: Format Snyk Message
-        uses: sergeysova/jq-action@v2
-        continue-on-error: true
-        with:
-          cmd: jq -r  '.vulnerabilities[] | "* **\(.severity)** - [\(.identifiers.CVE[0])] \(.title) in `\(.moduleName)` v\(.version). Fixed in \(.fixedIn)"' snyk.json >> snyk.txt
-
-      - name: Determine whether to comment
-        continue-on-error: true
-        id: should-comment
-        run: |
-          if [[ $(wc -l < snyk.txt) -gt 1 ]]; then exit 0; fi
-          exit 1
-
-      - name: Comment on PR with Snyk scan results
-        uses: mshick/add-pr-comment@v2
-        if: ${{ steps.should-comment.outcome == 'success' }}
-        with:
-          message-id: snyk-${{ github.event.number }}
-          message-path: snyk.txt
   trivy:
     name: Trivy Scan
     runs-on: ubuntu-20.04
-    if: ${{ !github.event.pull_request.head.repo.fork }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

From 052708674cd9d79d95cbbc187bf8f552250bee3d Mon Sep 17 00:00:00 2001
From: Trevor Whitney <trevorjwhitney@gmail.com>
Date: Thu, 16 Nov 2023 10:46:12 -0700
Subject: [PATCH 4/4] add snyk token back

---
 .github/workflows/snyk-pr-comment.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/snyk-pr-comment.yml b/.github/workflows/snyk-pr-comment.yml
index 5f151fd932961..9eb86f069fc0c 100644
--- a/.github/workflows/snyk-pr-comment.yml
+++ b/.github/workflows/snyk-pr-comment.yml
@@ -16,6 +16,8 @@ jobs:
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/golang@master
         continue-on-error: true # To make sure that PR comment is made
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           command: test
           args: --severity-threshold=high --json-file-output=snyk.json