Created GHA workflow for SCA scan (#6117) [ci skip]

Signed-off-by: Arnau Alcázar Lleopart <arnau.alcazar@seqera.io>
Co-authored-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>

Author: arnaualcazar

.github/actions/security-scan-branch/action.yml

@@ -0,0 +1,60 @@
+name: Security SCA scan for branch
+description: Scan nextflow branch for security vulnerabilities on third-party dependencies
+
+inputs: 
+  branch:
+    description: The branch to scan for security vulnerabilities
+    required: true
+
+runs: 
+  using: "composite"
+  steps:
+    - name: Checkout repository first
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+    - name: Checkout target branch
+      if: ${{ inputs.branch != '' }}
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      with:
+        ref: ${{ inputs.branch }}
+        fetch-depth: 0
+        path: target-branch
+
+    - name: Setup Java 
+      uses: actions/setup-java@v4
+      with:
+        java-version: ${{ inputs.java_version || '21' }}
+        distribution: 'temurin'
+        architecture: x64
+        cache: gradle
+
+    - name: Compile
+      shell: bash
+      run: |
+        if [ -d target-branch ]; then
+          cd target-branch
+        fi
+        make assemble
+
+    - name: assume role
+      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
+      with:
+        aws-region: "eu-west-1"
+        role-to-assume: "arn:aws:iam::730335503331:role/AmazonInspectorScanRoleForNextflow" 
+
+    - name: Run SCA scan
+      id: inspector
+      uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@5dc8a4bafed85c4c3d7070b4a7ada5b9d94041e3 #v1.2.1
+      with:
+        artifact_type: "repository"
+        artifact_path: ${{ inputs.branch != '' && './target-branch' || '.' }}
+        display_vulnerability_findings: "enabled"
+        critical_threshold: 1
+        high_threshold: 1
+
+    - name: On vulnerability threshold exceeded
+      run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
+      shell: bash
+
+
+

.github/workflows/security-sca-scan-cron.yml

@@ -0,0 +1,26 @@
+name: Security SCA Scan Cron weekly
+# This workflow runs a security scan on the specified branches of the Nextflow repository once a week
+
+on:
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: 
+          - "STABLE-24.10.x"
+          - "STABLE-25.04.x"
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      - name: Run Security SCA Scan
+        uses: ./.github/actions/security-scan-branch
+        with:
+          branch: ${{ matrix.branch }}

.github/workflows/security-sca-scan-master.yml

@@ -0,0 +1,18 @@
+name: Security SCA Scan Cron weekly
+# This workflow runs a security scan on master push
+
+on:
+  push:
+    branches:
+      - master
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      - name: Run Security SCA Scan
+        uses: ./.github/actions/security-scan-branch