FOSSA process refinements (#1118)

.github/workflows/fossa.yaml

@@ -0,0 +1,49 @@
+name: FOSSA license scan
+
+on:
+  pull_request_target: # this is safe as these scans do not execute provided code
+    branches:
+      - main
+    paths:
+      - go.sum
+
+  push:
+    branches:
+      - main
+
+jobs:
+  fossa-scan-pr:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: refs/pull/${{ github.event.number }}/merge
+      - name: "Install FOSSA" 
+        uses: replicatedhq/action-fossa/install@main
+      - name: "Run FOSSA Scan"
+        uses: replicatedhq/action-fossa/scan@main
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          diff: true
+          diff-ref: ${{ github.event.pull_request.base.sha }}
+          debug: true
+
+  fossa-scan-merge:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+      - id: previous
+        run: echo "sha=$(git rev-parse HEAD~1)" >> "${GITHUB_OUTPUT}"
+      - name: "Install FOSSA" 
+        uses: replicatedhq/action-fossa/install@main
+      - name: "Run FOSSA Scan"
+        uses: replicatedhq/action-fossa/scan@main
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          diff: true
+          diff-ref: ${{ steps.previous.outputs.sha }}
+          debug: true

.github/workflows/pr-license-scan.yaml

@@ -1,18 +0,0 @@
-name: PR license scan
-
-on:
-  pull_request_target: # this is safe as these scans do not execute provided code
-
-jobs:
-  fossa-scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: refs/pull/${{ github.event.number }}/merge
-      - name: "Install FOSSA" 
-        uses: replicatedhq/action-fossa/install@main
-      - name: "Run FOSSA Scan"
-        uses: replicatedhq/action-fossa/scan@main
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}