From f0018c24ee2b8da7e559aa04dc077e329b61d50d Mon Sep 17 00:00:00 2001
From: Nick Nisi <nick.nisi@workos.com>
Date: Mon, 17 Mar 2025 14:11:46 -0500
Subject: [PATCH 1/3] Add updated coana workflows

---
 .github/workflows/coana-analysis.yml  | 19 ++++++++------
 .github/workflows/coana-guardrail.yml | 37 ++++++++++++++++-----------
 2 files changed, 33 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/coana-analysis.yml b/.github/workflows/coana-analysis.yml
index 81a28995..90bfa069 100644
--- a/.github/workflows/coana-analysis.yml
+++ b/.github/workflows/coana-analysis.yml
@@ -2,24 +2,27 @@ name: Coana Vulnerability Analysis
 
 on:
   schedule:
-    # every day at 12 AM
-    - cron: '0 0 * * *'
+    - cron: "0 3 * * *" # every day at 3 AM
   workflow_dispatch:
     inputs:
       tags:
-        description: 'Manually run vulnerability analysis'
+        description: "Manually run vulnerability analysis"
+      # Required by the return-dispatch action
+      distinct_id:
 
 jobs:
   coana-vulnerability-analysis:
     runs-on: ubuntu-latest
-    timeout-minutes: 60
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
       - name: Run Coana CLI
         id: coana-cli
-        run: |
-          npx @coana-tech/cli run . \
-            --api-key ${{ secrets.COANA_API_KEY }} \
-            --repo-url https://github.com/${{github.repository}}
+        uses: docker://coana/coana:latest
+        with:
+          args: |
+            coana run . \
+              --api-key ${{ secrets.COANA_API_KEY }} \
+              --repo-url https://github.com/${{github.repository}}
diff --git a/.github/workflows/coana-guardrail.yml b/.github/workflows/coana-guardrail.yml
index 945a4043..6f4139a7 100644
--- a/.github/workflows/coana-guardrail.yml
+++ b/.github/workflows/coana-guardrail.yml
@@ -5,24 +5,27 @@ on: pull_request
 jobs:
   guardrail:
     runs-on: ubuntu-latest
-    timeout-minutes: 15
+
     steps:
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v44
-        with:
-          separator: ' '
- 
       - name: Checkout the ${{github.base_ref}} branch
         uses: actions/checkout@v4
         with:
           ref: ${{github.base_ref}} # checkout the base branch (usually master/main).
- 
+
+      - name: Fetch the PR branch
+        run: |
+          git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} --depth=1
+
+      - name: Get list of changed files relative to the main/master branch
+        id: changed-files
+        run: |
+          echo "all_changed_files=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | tr '\n' ' ')" >> $GITHUB_OUTPUT
+
       - name: Use Node.js 20.x
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
- 
+
       - name: Run Coana on the ${{github.base_ref}} branch
         run: |
           npx @coana-tech/cli run . \
@@ -31,16 +34,20 @@ jobs:
             -o /tmp/main-branch \
             --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
             --lightweight-reachability \
- 
-      # Reset file permissions changed by Coana CLI.
+
+      # Reset file permissions.
+      # This is necessary because the Coana CLI may add
+      # new files with root ownership since it's using docker.
+      # These files will not be deleted by the clean step in checkout
+      # if the permissions are not reset.
       - name: Reset file permissions
         run: sudo chown -R $USER:$USER .
- 
+
       - name: Checkout the current branch
         uses: actions/checkout@v4
         with:
           clean: true
- 
+
       - name: Run Coana on the current branch
         run: |
           npx @coana-tech/cli run . \
@@ -49,7 +56,7 @@ jobs:
             -o /tmp/current-branch \
             --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
             --lightweight-reachability \
- 
+
       - name: Run Report Comparison
         run: |
           npx @coana-tech/cli compare-reports \
@@ -57,4 +64,4 @@ jobs:
             /tmp/main-branch/coana-report.json \
             /tmp/current-branch/coana-report.json
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From b80d7ae70b81b1a450dd0ed2ef9d89c7d02bab49 Mon Sep 17 00:00:00 2001
From: Nick Nisi <nick.nisi@workos.com>
Date: Mon, 17 Mar 2025 15:29:43 -0500
Subject: [PATCH 2/3] trigger CI


From 74252f12c4a3c64e47570f40f17cf8052094642f Mon Sep 17 00:00:00 2001
From: Nick Nisi <nick.nisi@workos.com>
Date: Mon, 17 Mar 2025 20:49:56 -0500
Subject: [PATCH 3/3] fix guardrail for forks

---
 .github/workflows/coana-guardrail.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/coana-guardrail.yml b/.github/workflows/coana-guardrail.yml
index 6f4139a7..6928ce02 100644
--- a/.github/workflows/coana-guardrail.yml
+++ b/.github/workflows/coana-guardrail.yml
@@ -14,7 +14,7 @@ jobs:
 
       - name: Fetch the PR branch
         run: |
-          git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} --depth=1
+          git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.head_ref }}:${{ github.head_ref }} --depth=1
 
       - name: Get list of changed files relative to the main/master branch
         id: changed-files