From ccb7b1619bf00690eb7218530b7a560aa6a9812f Mon Sep 17 00:00:00 2001
From: Nick Meyer <nickm@replicated.com>
Date: Mon, 7 Nov 2022 11:46:27 -0600
Subject: [PATCH] Update fossa (#826)

* Transition FOSSA to locally-managed action

* correct ref
---
 .github/workflows/pr-license-scan.yaml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/pr-license-scan.yaml b/.github/workflows/pr-license-scan.yaml
index 1778a0e7..47e85363 100644
--- a/.github/workflows/pr-license-scan.yaml
+++ b/.github/workflows/pr-license-scan.yaml
@@ -1,19 +1,18 @@
 name: PR license scan
 
 on:
-  pull_request:
+  pull_request_target: # this is safe as these scans do not execute provided code
 
 jobs:
   fossa-scan:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: "Run FOSSA Analyze" 
-        uses: fossas/fossa-action@main
         with:
-          api-key: 1d5511d63d5a4ccda6d3cef2a7ef08c1 # push-only token, safe to expose
-      - name: "Run FOSSA Test"
-        uses: fossas/fossa-action@main
+          ref: ${{ github.head_ref }}
+      - name: "Install FOSSA" 
+        uses: replicatedhq/action-fossa/install@main
+      - name: "Run FOSSA Scan"
+        uses: replicatedhq/action-fossa/scan@main
         with:
-          api-key: 1d5511d63d5a4ccda6d3cef2a7ef08c1 # push-only token, safe to expose
-          run-tests: true
+          api-key: ${{ secrets.FOSSA_API_KEY }}