Restraint makeover #2068

	# GitHub action to run Snyk check for vulnerabilities in all requirement files.

	name: vulnerability_scan

	on:
	pull_request:
	push:
	branches: [main]

	jobs:
	vulnerability_scan:
	runs-on: ubuntu-latest
	permissions: write-all

	steps:
	- name: Checkout (GitHub)
	uses: actions/checkout@v3

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v2
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Create github hosts file
	run: \| # If this file is not created, the dev container fails because of non-existent mount
	mkdir -p ~/.config/gh
	touch ~/.config/gh/hosts.yml

	- name: Pre-build dev container image
	uses: devcontainers/[email protected]
	with:
	imageName: ghcr.io/aarhus-psychiatry-research/psycop-common
	push: filter
	runCmd: \|
	git config --global --add safe.directory /workspaces/psycop-common && git fetch origin main && inv vulnerability-scan --modified-files-only
	env: \|
	SNYK_TOKEN=${{ secrets.SNYK_TOKEN }}

Provide feedback