From 71495220d69c2beca37734b0225c681c932e79b3 Mon Sep 17 00:00:00 2001
From: Jesse Seales <jseales@google.com>
Date: Thu, 1 Jun 2023 15:48:16 -0400
Subject: [PATCH 1/2] use label in optional vuln scan run

---
 .github/workflows/third_party_scan.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/third_party_scan.yml b/.github/workflows/third_party_scan.yml
index 7e50fbb8eb13f..79b820ee0de5a 100644
--- a/.github/workflows/third_party_scan.yml
+++ b/.github/workflows/third_party_scan.yml
@@ -4,6 +4,8 @@ on:
   branch_protection_rule:
   push:
     branches: [ main ]
+  pull_request:
+    types: [ labeled ]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -12,7 +14,8 @@ jobs:
   vuln-scan:
     name: Vulnerability scanning
     runs-on: ubuntu-20.04
-    if: ${{ github.repository == 'flutter/engine' }}
+    # run on flutter/engine push to main or PRs with 'vulnerability patch' label 
+    if: ${{  github.repository == 'flutter/engine' && (github.event_name == 'push' || github.event.label.name == 'vulnerability patch') }}
     permissions:
       # Needed to upload the SARIF results to code-scanning dashboard.
       security-events: write

From ca3deb043df890a5304ba5c9b72a2876991aeecc Mon Sep 17 00:00:00 2001
From: Jesse Seales <jseales@google.com>
Date: Thu, 1 Jun 2023 17:47:56 -0400
Subject: [PATCH 2/2] change name of label

---
 .github/workflows/third_party_scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/third_party_scan.yml b/.github/workflows/third_party_scan.yml
index 79b820ee0de5a..80724463d2e3f 100644
--- a/.github/workflows/third_party_scan.yml
+++ b/.github/workflows/third_party_scan.yml
@@ -15,7 +15,7 @@ jobs:
     name: Vulnerability scanning
     runs-on: ubuntu-20.04
     # run on flutter/engine push to main or PRs with 'vulnerability patch' label 
-    if: ${{  github.repository == 'flutter/engine' && (github.event_name == 'push' || github.event.label.name == 'vulnerability patch') }}
+    if: ${{  github.repository == 'flutter/engine' && (github.event_name == 'push' || github.event.label.name == 'vulnerability scan') }}
     permissions:
       # Needed to upload the SARIF results to code-scanning dashboard.
       security-events: write