ci: Add govulncheck workflow (#9903) (#9914)

* Add vulncheck target to Makefile Signed-off-by: Thane Thomson <connect@thanethomson.com> * ci: Add govulncheck workflow Signed-off-by: Thane Thomson <connect@thanethomson.com> Signed-off-by: Thane Thomson <connect@thanethomson.com> (cherry picked from commit 8b7ae932ff) Co-authored-by: Thane Thomson <connect@thanethomson.com>
2026-01-03 11:45:18 +00:00 · 2022-12-19 09:53:05 -05:00
parent 270caadc4d
commit 37cb51c2dc
2 changed files with 35 additions and 0 deletions
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -0,0 +1,31 @@
+name: Check for Go vulnerabilities
+# Runs https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to proactively
+# check for vulnerabilities in code packages if there were any changes made to
+# any Go code or dependencies.
+#
+# Run `make vulncheck` from the root of the repo to run this workflow locally.
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release/**
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.18"
+      - uses: actions/checkout@v3
+      - uses: technote-space/get-diff-action@v6
+        with:
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            Makefile
+      - name: govulncheck
+        run: make vulncheck
+        if: "env.GIT_DIFF != ''"
--- a/4
+++ b/4
@@ -280,6 +280,10 @@ lint:
 	@go run github.com/golangci/golangci-lint/cmd/golangci-lint run
 .PHONY: lint

+vulncheck:
+	@go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+.PHONY: vulncheck
+
 DESTINATION = ./index.html.md

 ###############################################################################