ci(osv-scanner): fix arguments too long

thomasleplus · thomasleplus · commit 0e4fce2a7525 · 2026-06-10T00:00:34.000+02:00
diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml
@@ -40,16 +40,19 @@ jobs:
         run: |
           set -euo pipefail
           IFS=$'\n\t'
+          cat > "${RUNNER_TEMP}/new_results.json" <<'__OSV_NEW_RESULTS_EOF__'
+          ${{ needs.osv-scanner-pr.outputs.new-results }}
+          __OSV_NEW_RESULTS_EOF__
+          cat > "${RUNNER_TEMP}/old_results.json" <<'__OSV_OLD_RESULTS_EOF__'
+          ${{ needs.osv-scanner-pr.outputs.old-results }}
+          __OSV_OLD_RESULTS_EOF__
           rc=0
-          echo "${NEW_RESULTS}" | jq -r '.results[].packages[].vulnerabilities[].id' | while read -r vid; do
-            if echo "${OLD_RESULTS}" | grep -q -L -e "\"${vid}\""; then
+          jq -r '.results[].packages[].vulnerabilities[].id' "${RUNNER_TEMP}/new_results.json" | while read -r vid; do
+            if grep -q -L -e "\"${vid}\"" "${RUNNER_TEMP}/old_results.json"; then
               rc=$((rc+1))
               >&2 echo "error: PR introduces new vulnerabilities ${vid} (see step 'scan > osv-scanner-pr > Run osv-scanner-reporter' for details)"
             fi
           done
           if [ "${rc}" -gt 0 ]; then
             exit "${rc}"
           fi
-        env:
-          OLD_RESULTS: ${{ needs.osv-scanner-pr.outputs.old-results }}
-          NEW_RESULTS: ${{ needs.osv-scanner-pr.outputs.new-results }}
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -42,20 +42,21 @@ jobs:
         run: |
           set -euo pipefail
           IFS=$'\n\t'
+          cat > "${RUNNER_TEMP}/results.json" <<'__OSV_RESULTS_EOF__'
+          ${{ needs.osv-scanner.outputs.results }}
+          __OSV_RESULTS_EOF__
           # jq expression:
           # - iterate packages -> vulnerabilities -> full osv entry -> severity[] (type, score)
           # - extract numeric scores for CVSS types (cvss_v3 or numeric severity[].score)
           # - compare to threshold
-          if echo "${RESULTS}" | jq '
+          if jq '
             .results[]
             | .packages[]?
             | .vulnerabilities[]?
             | ( .severity[]?.score // "" ) as $s
             | select($s != "")
             | ($s | tonumber) >= 4.0
-            ' | grep -q -e . ; then
+            ' "${RUNNER_TEMP}/results.json" | grep -q -e . ; then
             >&2 echo "error: found one or more vulnerabilities with a medium or higher severity (see step 'scan > osv-scanner > Run osv-scanner-reporter' for details)"
             exit 1
           fi
-        env:
-          RESULTS: ${{ needs.osv-scanner.outputs.results }}
diff --git a/.zizmor.yml b/.zizmor.yml
@@ -15,3 +15,7 @@ rules:
         - ossf/*
         - sigstore/*
         - super-linter/super-linter
+  template-injection:
+    ignore:
+      - osv-scanner.yml
+      - osv-scanner-pr.yml
