replicatedhq · e3b0c442 · Apr 10, 2023 · Apr 10, 2023 · Apr 10, 2023 · Apr 10, 2023
@@ -2,3 +2,11 @@ version: 3
 
 project:
   id: github.com/replicatedhq/kurl
+
+targets:
+  only:
+    - type: gomod
+      path: .
+    - type: npm
+      path: .
+
@@ -0,0 +1,50 @@
+name: FOSSA license scan
+
+on:
+  pull_request_target: # this is safe as these scans do not execute provided code
+    branches:
+      - main
+    paths:
+      - go.sum
+      - package-lock.json
+
+  push:
+    branches:
+      - main
+
+jobs:
+  fossa-scan-pr:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: refs/pull/${{ github.event.number }}/merge
+      - name: "Install FOSSA" 
+        uses: replicatedhq/action-fossa/install@main
+      - name: "Run FOSSA Scan"
+        uses: replicatedhq/action-fossa/scan@main
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          diff: true
+          diff-ref: ${{ github.event.pull_request.base.sha }}
+          debug: true
+
+  fossa-scan-merge:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          depth: 2
+      - id: previous
+        run: echo "sha=$(git rev-parse HEAD~1)" >> "${GITHUB_OUTPUT}"
+      - name: "Install FOSSA" 
+        uses: replicatedhq/action-fossa/install@main
+      - name: "Run FOSSA Scan"
+        uses: replicatedhq/action-fossa/scan@main
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          diff: true
+          diff-ref: ${{ steps.previous.outputs.sha }}
+          debug: true
@@ -27,3 +27,7 @@ sbom/
 
 # ide 
 .vscode
+
+# FOSSA
+fossa.debug.*
+fossa.telemetry.*