Unify OSV scanner action (google#711)

Combine the 2 osv-scanner actions into one file.

This is an example of what will be shown in the starter-workflows
example, allowing us to have one starter-workflow that does both PR
scanning and scheduled scanning.

Ideally we can hide the skipped workflows, but that's not possible at
the moment: https://github.com/orgs/community/discussions/18001

.github/workflows/osv-scanner-scheduled.yml → .github/workflows/osv-scanner-unified-action.yml

@@ -15,22 +15,37 @@
 name: OSV-Scanner Scheduled Scan
 
 on:
+  pull_request:
+    branches: ["main"]
+  merge_group:
+    branches: ["main"]
   schedule:
     - cron: "12 12 * * 1"
   push:
     branches: ["main"]
 
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read
+
 jobs:
   scan-scheduled:
+    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
     uses: "./.github/workflows/osv-scanner-reusable.yml"
     with:
       # Just scan the root directory and docs, since everything else is fixtures
       scan-args: |-
         --skip-git
         ./
         ./docs/
-    permissions:
-      # Require writing security events to upload SARIF file to security tab
-      security-events: write
-      # Read commit contents
-      contents: read
+  scan-pr:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "./.github/workflows/osv-scanner-reusable-pr.yml"
+    with:
+      # Just scan the root directory and docs, since everything else is fixtures
+      scan-args: |-
+        --skip-git
+        ./
+        ./docs/