Merge pull request #183 from h2oai/devops/snyk-add-changed-files #12

	name: Snyk Security Vulnerability Scan

	on:
	workflow_dispatch:
	pull_request:
	push:
	tags:
	- '[0-9]+.[0-9]+.[0-9]+'
	branches:
	- 'master'

	jobs:
	snyk_scan_test:
	if: ${{ github.event_name == 'pull_request' }}
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@master
	- uses: snyk/actions/setup@master

	- uses: actions/setup-node@v3
	with:
	node-version: '16.x'

	- name: Check changed Deps files
	uses: tj-actions/changed-files@v35
	id: changed-files
	with:
	files: \| # This will match all the files with below patterns
	**/package-lock.json

	- name: Snyk scan for Node dependencies - package-lock.json
	if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'package-lock.json')
	run: \|
	snyk test --file=package-lock.json -d --fail-on=all
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

	snyk_scan_monitor:
	if: ${{ github.event_name == 'push' \|\| github.event_name == 'workflow_dispatch' }}
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@master

	- name: Extract github branch/tag name
	shell: bash
	run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
	id: extract_ref

	- uses: snyk/actions/setup@master

	- uses: actions/setup-node@v3
	with:
	node-version: '16.x'

	- name: Snyk scan for Node dependencies - package-lock.json files
	run: \|
	snyk monitor \
	--org=h2o-3 \
	--remote-repo-url=h2o-flow/${{ steps.extract_ref.outputs.ref }} \
	--file=package-lock.json \
	--project-name=H2O-3/h2o-flow/${{ steps.extract_ref.outputs.ref }}/package-lock.json -d
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Provide feedback