Skip to content

[CI/CD] Add govulncheck to CI #1416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
+79 −0
Open

[CI/CD] Add govulncheck to CI #1416

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
9b85fa7
[skip ci] add govulncheck workflow
sean-breen Nov 24, 2025
1a275bf
add vulncheck workflow, call from CI.yml, and allow dispatch
sean-breen Nov 25, 2025
4e78539
Merge branch 'main' into add-govulncheck
sean-breen Nov 25, 2025
98646fd
Merge branch 'main' into add-govulncheck
sean-breen Nov 26, 2025
15fd67a
add nightly-scans.yml workflow
sean-breen Nov 27, 2025
09c490e
checkout
sean-breen Nov 27, 2025
1e4ca59
checkout via ref name
sean-breen Nov 27, 2025
606f521
fix calling workflow
sean-breen Nov 27, 2025
ad75c40
fix startup failure
sean-breen Nov 27, 2025
31552f3
Add missing permission for security_events
sean-breen Nov 27, 2025
1cb2926
add check for go version in go.mod
sean-breen Nov 27, 2025
3536ae4
fix setting of output from go version step
sean-breen Nov 27, 2025
73b02e8
use toolchain version
sean-breen Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,15 @@ jobs:
with:
version: v2.4.0

vulnerability-scan:
name: Vulnerability Scan
uses: ./.github/workflows/vulncheck.yml
permissions:
security-events: write
with:
target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
go-version-input: '1.24.10'
Copy link
Collaborator

@dhurley dhurley Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to get the golang version from the go.mod file like how we do it for the setup-go action on line 72?


unit-test:
name: Unit Tests
runs-on: ubuntu-22.04
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/nightly-scans.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: nightly-scans.yml
on:
schedule:
- cron: '0 2 * * *' # Runs daily at 2:00 AM UTC
workflow_dispatch:

jobs:
scan-main:
name: Vulnerability Scan - Main
uses: ./.github/workflows/vulncheck.yml
with:
target-branch: 'main'

scan-v2:
name: Vulnerability Scan - dev-v2
uses: ./.github/workflows/vulncheck.yml
with:
target-branch: 'dev-v2'
52 changes: 52 additions & 0 deletions .github/workflows/vulncheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: vulncheck.yaml
on:
workflow_call:
inputs:
go-version-input:
Copy link
Collaborator

@dhurley dhurley Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can the go-version-input inputs be removed now?

description: 'Go version to install'
type: string
required: false
default: '1.24.10'
target-branch:
description: 'Target branch to run govulncheck against'
type: string
required: false
default: 'main'
workflow_dispatch:
inputs:
go-version-input:
description: 'Go version to install'
required: false
default: '1.24.10'
target-branch:
description: 'Target branch to run govulncheck against'
required: false
default: 'main'

jobs:
vulncheck:
name: Vulnerability Check
runs-on: ubuntu-22.04
permissions:
security-events: write # for reporting vulnerabilities via code-scanning API
steps:
- name: Checkout Repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
fetch-depth: 0
ref: ${{ inputs.targetBranch || 'main' }}

- name: Check Go version
id: get-go-version
run: |
echo "Reading from go.mod"
GO_VERSION=$(grep -E "^toolchain " go.mod | awk -F' ' '{print $2}' | tr -d 'go')
echo "Found $GO_VERSION"
echo "go-version="$GO_VERSION"" >> $GITHUB_OUTPUT
- name: Run govulncheck
id: govulncheck
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
with:
go-version-input: ${{ steps.get-go-version.outputs.go-version }}
Loading