From 2446be44b897db76b96a5f983d3d42c1cb463f01 Mon Sep 17 00:00:00 2001
From: Lukasz <CommanderK5@users.noreply.github.com>
Date: Mon, 27 Apr 2026 11:06:07 +0200
Subject: [PATCH] fix: restore osv scanner workflow (#24702)

---
 .github/workflows/security.yaml | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index bb6208f836..d53ec1b58e 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -67,30 +67,26 @@ jobs:
     permissions:
       security-events: write
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    env:
+      IMAGE_REF: ghcr.io/coder/coder:latest
+      OSV_SCANNER_VERSION: v2.3.5
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
         with:
           egress-policy: audit
 
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version: "1.25.9"
-          cache: false
-
       - name: Install OSV-Scanner
-        run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@v2.3.5
+        run: |
+          curl -fsSL -o /usr/local/bin/osv-scanner \
+            "https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/osv-scanner_linux_amd64"
+          chmod +x /usr/local/bin/osv-scanner
 
       - name: Pull released Coder image
-        env:
-          IMAGE_REF: ghcr.io/coder/coder:latest
         run: docker pull "$IMAGE_REF"
 
       - name: Run OSV-Scanner vulnerability scanner
         id: scan
-        env:
-          IMAGE_REF: ghcr.io/coder/coder:latest
         run: |
           set +e
           osv-scanner scan image "$IMAGE_REF" \