feat: output results in reusable workflow

[thomasleplus]

Exporting the results of the OSV scan in an output variable of the workflow will allow them to be used in later workflow jobs for example to decide under which conditions the workflow should fail.

Here is a basic example of how the output could be used to fail the workflow if there is any result:

---
name: OSV-Scanner

on:
  push:
    branches: ["main"]

permissions: {}

jobs:
  scan:
    permissions:
      security-events: write
      contents: read
      actions: read
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@90b209d0ea55cea1da9fc0c4e65782cc6acb6e2e" # v2.2.2
    with:
      fail-on-vuln: false
  check:
    runs-on: ubuntu-latest
    needs: scan
    steps:
      - name: Check OSV scan results
        run: |
          if grep -q -e . <<< "${RESULTS}" ; then
            >&2 echo "error: found vulnerabilities"
            exit 1
          fi
        env:
          RESULTS: ${{ needs.scan.outputs.results }}

A tool like jq could be used to write much more elaborate conditions based on the content of the results (severity, CVSS score, package name etc.).

[thomasleplus]

Resolves #99

[another-rex]

Sorry for the delay! I'm still not very happy with the base64 option, as it would mean the parser would need to know to first run it through a b64decode.

Alternatively, I think having a random delimiter and multiline string might be an option?

          RANDOM_STRING=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 16)
          DELIMITER="EOF_JSON_RESULTS_$RANDOM_STRING"

          echo "json_content<<$DELIMITER" >> $GITHUB_OUTPUT
          cat osv-results.json >> $GITHUB_OUTPUT
          echo "$DELIMITER" >> $GITHUB_OUTPUT

[thomasleplus]

Sorry for the delay! I'm still not very happy with the base64 option, as it would mean the parser would need to know to first run it through a b64decode.

Alternatively, I think having a random delimiter and multiline string might be an option?

          RANDOM_STRING=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 16)
          DELIMITER="EOF_JSON_RESULTS_$RANDOM_STRING"

          echo "json_content<<$DELIMITER" >> $GITHUB_OUTPUT
          cat osv-results.json >> $GITHUB_OUTPUT
          echo "$DELIMITER" >> $GITHUB_OUTPUT

I like your approach much better. Let me work on it. Thanks!

[thomasleplus]

Sorry for the delay! I'm still not very happy with the base64 option, as it would mean the parser would need to know to first run it through a b64decode.

Alternatively, I think having a random delimiter and multiline string might be an option?

          RANDOM_STRING=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 16)
          DELIMITER="EOF_JSON_RESULTS_$RANDOM_STRING"

          echo "json_content<<$DELIMITER" >> $GITHUB_OUTPUT
          cat osv-results.json >> $GITHUB_OUTPUT
          echo "$DELIMITER" >> $GITHUB_OUTPUT

Done!

[another-rex]

Thanks! Looking good!