search

google / osv-scanner-action

https://google.github.io/osv-scanner/github-action/
Apache License 2.0
12 stars 13 forks source link

download artifact, no such file or directory #35

Open GeoDerp opened 1 month ago

GeoDerp commented 1 month ago

Greetings, I have been testing out a fork of osv-scanner to add support for matrix's. Most of it works. however I am being stumped on this open /github/workspace/amd64.status': no such file or directory error.

I have two artifact files that get uploaded and downloaded into the OSV action. The files successfully download into the correct directory, however the scanner finds no file.

Error

Screenshot from 2024-07-21 16-49-23 Logs: https://github.com/GeoDerp/emhass/actions/runs/10026253342/job/27710383510

I can validate that the file is indeed being downloaded to the directory (/home/runner/work/emhass/emhass) that is being mounted to /github/workspace/: Screenshot from 2024-07-21 16-53-14

Action snippet:

.
.
.
# previous job creates amd64.status and amd64-requirements.txt in ./OSV/
      - name: Upload package list as digest
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.platform.target_arch }}-packages
          path: ./OSV/*
          if-no-files-found: error
          retention-days: 1
.
.
.
  # Google OSV-Scanner  
  osv-scan:
    needs:
      - build
    strategy:
      matrix:
        platform: [
          {target_arch: amd64},
          # {target_arch: armv7}
          # {target_arch: armhf},
          # {target_arch: aarch64}
        ]
    uses: "GeoDerp/osv-scanner/.github/workflows/osv-scanner-reusable.yml@v1.9.0-beta"
    with:
      download-artifact-directory: "./"
      download-artifact: "${{ matrix.platform.target_arch }}-packages"
      results-file-name: "${{ matrix.platform.target_arch }}.sarif"
      security-category: "${{ matrix.platform.target_arch }}-OSV-Scanner"
      scan-args: |-
        --lockfile='dpkg-status:./${{ matrix.platform.target_arch }}.status'
        --lockfile='requirements.txt:./${{matrix.platform.target_arch }}-requirements.txt'
        --recursive
        --skip-git
        ./
    permissions:
      security-events: write
      contents: write

The download-artifact-directory input will be removed before I make a PR, just for current testing. Full action here: https://github.com/GeoDerp/emhass/blob/OSV-integration/.github/workflows/publish_docker.yaml Used osv-scanner-reusable.yaml: https://github.com/GeoDerp/osv-scanner/blob/main/.github/workflows/osv-scanner-reusable.yml

Quick Note: I have tweaked things like permission variables in the main action. However, that does not seem to help.