✨ detect sbt ci-release packaging workflows (ossf#4135)

Signed-off-by: Arnout Engelen <[email protected]>

checks/fileparser/github_workflow.go

@@ -488,6 +488,15 @@ func IsPackagingWorkflow(workflow *actionlint.Workflow, fp string) (JobMatchResu
 			},
 			LogText: "candidate java publishing workflow using gradle",
 		},
+		{
+			// Scala packages with sbt-ci-release
+			Steps: []*JobMatcherStep{
+				{
+					Run: "sbt.*ci-release",
+				},
+			},
+			LogText: "candidate Scala publishing workflow using sbt-ci-release",
+		},
 		{
 			// Ruby packages.
 			Steps: []*JobMatcherStep{

checks/fileparser/github_workflow_test.go

@@ -948,6 +948,11 @@ func TestIsPackagingWorkflow(t *testing.T) {
 			filename: "../testdata/.github/workflows/github-workflow-packaging-gradle.yaml",
 			expected: true,
 		},
+		{
+			name:     "sbt ci-release",
+			filename: "../testdata/.github/workflows/github-workflow-packaging-sbt-ci-release.yaml",
+			expected: true,
+		},
 		{
 			name:     "gem publish",
 			filename: "../testdata/.github/workflows/github-workflow-packaging-gem.yaml",

checks/testdata/.github/workflows/github-workflow-packaging-sbt-ci-release.yaml

@@ -0,0 +1,19 @@
+name: Release
+on:
+  push:
+    branches: [master, main]
+    tags: ["*"]
+jobs:
+  publish:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+      - uses: olafurpg/setup-scala@v10
+      - run: sbt ci-release
+        env:
+          PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
+          PGP_SECRET: ${{ secrets.PGP_SECRET }}
+          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}