[backport v1.7] ci: Workflow hardening: add govulncheck and zizmor static analysis workflows (#4302) (#4328)

jpayne3506 · Copilot · web-flow · commit 44d7a71cc727 · 2026-04-16T18:46:09.000Z
ci: Workflow hardening: add govulncheck and zizmor static analysis workflows (#4302) * Initial plan * add govulncheck and zizmor workflow files with SHA-pinned actions Agent-Logs-Url: https://github.com/Azure/azure-container-networking/sessions/fa67252f-bb36-48c3-bd99-0aabf2f99b12 * govulncheck: add matrix for all go.mod files and coverage guard job Agent-Logs-Url: https://github.com/Azure/azure-container-networking/sessions/298ba314-3726-40bc-adab-1c3ffcf85a98 * fix: repo-checkout: false * ci: include bpf files * fix: match go version * fix: reorder bpf generation --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -0,0 +1,126 @@
+name: govulncheck
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    name: Run govulncheck (${{ matrix.module }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        module:
+          - .
+          - azure-ip-masq-merger
+          - azure-ipam
+          - azure-iptables-monitor
+          - bpf-prog/ipv6-hp-bpf
+          - cilium-log-collector
+          - dropgz
+          - pkgerrlint
+          - tools/azure-npm-to-cilium-validator
+          - zapai
+        include:
+          - module: .
+            bpf: true
+          - module: bpf-prog/ipv6-hp-bpf
+            bpf: true
+          - module: azure-iptables-monitor
+            bpf: true
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        if: matrix.bpf
+        with:
+          go-version-file: go.mod
+
+      - name: Build BPF lib
+        if: matrix.bpf
+        run: make bpf-lib
+
+      - name: Go generate
+        if: matrix.bpf
+        run: go generate ./...
+
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: ${{ matrix.module }}/go.mod
+
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+        with:
+          go-version-file: ${{ matrix.module }}/go.mod
+          work-dir: ${{ matrix.module }}
+          go-package: ./...
+          repo-checkout: false
+
+  check-gomod-coverage:
+    name: Check all go.mod files are in matrix
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify matrix covers all go.mod files
+        run: |
+          MATRIX_MODULES=(
+            "."
+            "azure-ip-masq-merger"
+            "azure-ipam"
+            "azure-iptables-monitor"
+            "bpf-prog/ipv6-hp-bpf"
+            "cilium-log-collector"
+            "dropgz"
+            "pkgerrlint"
+            "tools/azure-npm-to-cilium-validator"
+            "zapai"
+          )
+
+          mapfile -t FOUND_MODULES < <(
+            find . -name "go.mod" -not -path "*/vendor/*" \
+              | xargs -I{} dirname {} \
+              | sed 's|^\./||' \
+              | sort
+          )
+
+          MISSING=()
+          for mod in "${FOUND_MODULES[@]}"; do
+            found=false
+            for matrix_mod in "${MATRIX_MODULES[@]}"; do
+              if [[ "$mod" == "$matrix_mod" ]]; then
+                found=true
+                break
+              fi
+            done
+            if [[ "$found" == "false" ]]; then
+              MISSING+=("$mod")
+            fi
+          done
+
+          if [[ ${#MISSING[@]} -gt 0 ]]; then
+            echo "ERROR: The following go.mod files are not in the govulncheck matrix:"
+            for m in "${MISSING[@]}"; do
+              echo "  - $m"
+            done
+            echo ""
+            echo "Add them to the 'matrix.module' list in .github/workflows/govulncheck.yaml"
+            exit 1
+          fi
+
+          echo "All go.mod files are covered by the govulncheck matrix."
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
@@ -0,0 +1,33 @@
+name: zizmor
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: GitHub Actions static analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        env:
+          GH_TOKEN: ${{ github.token }}
