Adds Snyk GitHub action using CLI

[SHession]

What does this change?

Adds Snyk integration using the CLI via GitHub actions using a new reusable workflow. This should provide us more consistent and accurate results.

How to test

Does the GitHub action kick off correctly, do the result display as expected in the Snyk dashboard?

[SHession]

Seems to be working as inteded, except it is determining the wrong "nodeVersion": "v14.17.6" and saying it has Encountered multiple node lockfiles files. Not sure why this is happening but would be interested if anyone has any thoughts. I have left the action in a debug state for reviewers.

[jfsoul]

I'm no expert but I think maybe a nicer way of exposing this generic action would be to separate into its own repo and then create an example usage in a workflow in the .github repo that references the standalone action. Then the reference here can be a bit cleaner, something like guardian/snyk-generic-action@1.0.0

[SHession]

Yeah good point, I would be open to that idea. I'm not sure if there is an important distinction between workflows and actions to be made. I think workflows may need to be referenced in this convoluted way.

[jonathonherbert]

Ace! I can't see anything in checks – do we need to do anything special to kick this off, or perhaps I'm looking in the wrong place?

[SHession]

Ace! I can't see anything in checks – do we need to do anything special to kick this off, or perhaps I'm looking in the wrong place?

@jonathonherbert, the checks are, for the merged version, disabled so that we don't get conflicting results in Snyk. You can see a previously run action here: https://github.com/guardian/workflow-frontend/runs/5128202281?check_suite_focus=true. The results of that action will be visible in the Snyk dashboard.

[jonathonherbert]

Can see the action here, and can see a CLI project in snyk 👍

[prout-bot]

Seen on WORKFLOW_PROD (merged by @SHession 6 minutes and 23 seconds ago) Please check your changes!