ci: Add govulncheck workflow (tendermint#9903)

* Add vulncheck target to Makefile Signed-off-by: Thane Thomson <[email protected]> * ci: Add govulncheck workflow Signed-off-by: Thane Thomson <[email protected]> Signed-off-by: Thane Thomson <[email protected]>
informalsystems · Dec 19, 2022 · 8b7ae93 · 8b7ae93
1 parent 82ec855
commit 8b7ae93
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -0,0 +1,31 @@
+name: Check for Go vulnerabilities
+# Runs https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to proactively
+# check for vulnerabilities in code packages if there were any changes made to
+# any Go code or dependencies.
+#
+# Run `make vulncheck` from the root of the repo to run this workflow locally.
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release/**
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.18"
+      - uses: actions/checkout@v3
+      - uses: technote-space/get-diff-action@v6
+        with:
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            Makefile
+      - name: govulncheck
+        run: make vulncheck
+        if: "env.GIT_DIFF != ''"
diff --git a/Makefile b/Makefile
@@ -274,6 +274,10 @@ lint:
 	@go run github.com/golangci/golangci-lint/cmd/golangci-lint run
 .PHONY: lint
 
+vulncheck:
+	@go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+.PHONY: vulncheck
+
 DESTINATION = ./index.html.md
 
 ###############################################################################