Add mend workflow for security scanning (nginx#746)

New workflow for scanning and uploading mend results.

Also updated a couple other jobs with proper permissions and removed unnecessary defaults.

.github/workflows/fossa.yml

@@ -16,6 +16,7 @@ jobs:
   scan:
     name: Fossa
     runs-on: ubuntu-22.04
+    if: ${{ github.event.repository.fork == false }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

.github/workflows/lint.yml

@@ -12,14 +12,13 @@ on:
       - reopened
       - synchronize
 
-defaults:
-  run:
-    shell: bash
-
 concurrency:
   group: ${{ github.ref_name }}-lint
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint

.github/workflows/mend.yml

@@ -0,0 +1,36 @@
+name: Mend
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - design/**
+      - deploy**
+      - docs/**
+      - examples/**
+
+concurrency:
+  group: ${{ github.ref_name }}-mend
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    name: Mend
+    runs-on: ubuntu-22.04
+    if: ${{ github.event.repository.fork == false }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Download agent
+        run: curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
+      - name: Verify JAR
+        run: jarsigner -verify wss-unified-agent.jar
+      - name: Scan and upload
+        env:
+          PRODUCT_NAME: nginx-kubernetes-gateway_${{ github.ref_name }}
+          PROJECT_NAME: nginx-kubernetes-gateway
+        run: java -jar wss-unified-agent.jar -noConfig true -wss.url ${{ secrets.WSS_URL }} -apiKey ${{ secrets.WSS_NGINX_TOKEN }} -product $PRODUCT_NAME -project $PROJECT_NAME -d .