update branach handling move action file to templates

MetaMask · witmicko · Nov 26, 2025 · Dec 2, 2025 · Dec 9, 2025 · Dec 9, 2025
commit 27e6a8321b2db564983e3b9a0358c3d33d049852
@@ -5,6 +5,7 @@ This directory contains templates for onboarding PRs that add the Security Code
 ## Templates
 
 ### `onboarding-pr-body-manual.md`
+
 **Use for:** Manual PRs created by the security team
 
 - More detailed with full language configuration examples
@@ -13,6 +14,7 @@ This directory contains templates for onboarding PRs that add the Security Code
 - No auto-merge disclaimer
 
 ### `onboarding-pr-body-automated.md`
+
 **Use for:** Automated PRs created by workflows
 
 - Shorter, more concise
@@ -29,6 +31,7 @@ Both templates support variable substitution:
 ## Usage
 
 **Manual PRs:**
+
 ```bash
 # Copy and paste from onboarding-pr-body-manual.md
 # Replace {{SECURITY_SCANNING_URL}} with actual URL

@@ -3,11 +3,13 @@
 **This PR may be auto-merged in the future if not configured.**
 
 If your team does not need the security scanner:
+
 1. **Add a comment on this PR** explaining why your team is opting out
 2. **Close this PR** to prevent auto-merge
 3. **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts
 
 If you need the scanner but want to customize it:
+
 1. Complete the checklist below
 2. Review and modify the workflow file as needed
 3. Approve and merge this PR when ready
@@ -19,6 +21,7 @@ If no action is taken, this PR may be automatically merged after a grace period
 ## Required Action
 
 Prior to merging this pull request, please ensure the following has been completed:
+
 - [ ] The lines specifying `branches` correctly specify this repository's default branch (usually `main` or `master`).
 - [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup))
 - [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below)
@@ -84,10 +87,12 @@ The scanner auto-detects languages in your repository. If you need to customize
 For more configuration options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md).
 
 Optional secrets that can be configured:
+
 - `SECURITY_SCAN_METRICS_TOKEN` - for metrics collection
 - `APPSEC_BOT_SLACK_WEBHOOK` - for Slack notifications
 
 For any additional questions, please reach out to `@app-sec` in Slack.
 
 ---
-🤖 *This PR was automatically created by the MetaMask Security onboarding system*
+
+🤖 _This PR was automatically created by the MetaMask Security onboarding system_
@@ -0,0 +1,51 @@
+name: MetaMask Security Code Scanner
+
+on:
+  push:
+    branches:
+      - { DEFAULT_BRANCH }
+  pull_request:
+    branches:
+      - { DEFAULT_BRANCH }
+  workflow_call:
+    secrets:
+      SECURITY_SCAN_METRICS_TOKEN:
+        required: false
+      APPSEC_BOT_SLACK_WEBHOOK:
+        required: false
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      repo: ${{ github.repository }}
+      scanner-ref: 'v2'
+      paths-ignored: |
+        node_modules
+        **/node_modules/**
+        **/__snapshots__/**
+        __snapshots_linux__
+        **/__stories__/**
+        .storybook/
+        **/*.test.ts
+        **/*.test.tsx
+        **/*.test.js
+        **/*.test.jsx
+        **/*.spec.ts
+        **/*.spec.tsx
+        **/*.spec.js
+        **/*.spec.jsx
+        **/test*/**
+        **/e2e/**
+        **/tests/**
+      languages-config: |
+        [
+        ]
+    secrets:
+      project-metrics-token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
+      slack-webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
@@ -33,17 +33,13 @@ jobs:
             ORG="${{ github.event.client_payload.organization }}"
             REPO_NAME="${{ github.event.client_payload.repository }}"
             REPO="$ORG/$REPO_NAME"
-            BASE_BRANCH="${{ github.event.client_payload.base_branch }}"
           else
             REPO="${{ inputs.organization }}/${{ inputs.repository }}"
-            BASE_BRANCH=""
           fi
 
-          # If base_branch is not set, detect it from the repository
-          if [ -z "$BASE_BRANCH" ]; then
-            echo "Detecting default branch for $REPO..."
-            BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch')
-          fi
+          # Auto-detect default branch from the repository
+          echo "Detecting default branch for $REPO..."
+          BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch')
 
           echo "repository=$REPO" >> "$GITHUB_OUTPUT"
           echo "base_branch=$BASE_BRANCH" >> "$GITHUB_OUTPUT"
@@ -71,8 +67,11 @@ jobs:
           # Create .github/workflows directory if it doesn't exist
           mkdir -p .github/workflows
 
-          # Copy the security scanner workflow template
-          cp ../scanner-repo/examples/security-code-scanner.yml .github/workflows/security-code-scanner.yml
+          # Copy the security scanner workflow template and replace placeholders
+          BASE_BRANCH="${{ steps.target.outputs.base_branch }}"
+          sed "s/{ DEFAULT_BRANCH }/$BASE_BRANCH/g" \
+            ../scanner-repo/.github/templates/security-code-scanner.yml \
+            > .github/workflows/security-code-scanner.yml
 
           git add .github/workflows/security-code-scanner.yml
           git commit -m "chore: add MetaMask Security Code Scanner workflow

@@ -28,9 +28,9 @@ jobs:
       paths-ignored: |
         node_modules
         **/node_modules/**
-        **/__snapshots__/
+        **/__snapshots__/**
         __snapshots_linux__
-        **/__stories__/
+        **/__stories__/**
         .storybook/
         **/*.test.ts
         **/*.test.tsx