From 8b7ae932ffbd182d56d1702b8a3310464264f7b1 Mon Sep 17 00:00:00 2001 From: Thane Thomson Date: Mon, 19 Dec 2022 07:59:22 -0500 Subject: [PATCH] ci: Add govulncheck workflow (#9903) * Add vulncheck target to Makefile Signed-off-by: Thane Thomson * ci: Add govulncheck workflow Signed-off-by: Thane Thomson Signed-off-by: Thane Thomson --- .github/workflows/govulncheck.yml | 31 +++++++++++++++++++++++++++++++ Makefile | 4 ++++ 2 files changed, 35 insertions(+) create mode 100644 .github/workflows/govulncheck.yml diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 00000000000..84b99593c70 --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,31 @@ +name: Check for Go vulnerabilities +# Runs https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to proactively +# check for vulnerabilities in code packages if there were any changes made to +# any Go code or dependencies. +# +# Run `make vulncheck` from the root of the repo to run this workflow locally. +on: + pull_request: + push: + branches: + - main + - release/** + +jobs: + govulncheck: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v3 + with: + go-version: "1.18" + - uses: actions/checkout@v3 + - uses: technote-space/get-diff-action@v6 + with: + PATTERNS: | + **/*.go + go.mod + go.sum + Makefile + - name: govulncheck + run: make vulncheck + if: "env.GIT_DIFF != ''" diff --git a/Makefile b/Makefile index 97295c6cea8..f1c479bb670 100644 --- a/Makefile +++ b/Makefile @@ -274,6 +274,10 @@ lint: @go run github.com/golangci/golangci-lint/cmd/golangci-lint run .PHONY: lint +vulncheck: + @go run golang.org/x/vuln/cmd/govulncheck@latest ./... +.PHONY: vulncheck + DESTINATION = ./index.html.md ###############################################################################