Skip to content

fix: Update metrics-server to eksbuild.11 in dev bundles (#1307) #422

fix: Update metrics-server to eksbuild.11 in dev bundles (#1307)

fix: Update metrics-server to eksbuild.11 in dev bundles (#1307) #422

Workflow file for this run

name: Vulnerability Scan
on:
push:
tags:
- v*
branches:
- main
pull_request:
workflow_dispatch:
schedule:
# Run daily at 7am UTC
- cron: '0 7 * * *'
permissions:
contents: read
jobs:
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout Repository
uses: actions/checkout@v6
with:
show-progress: false
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
base-ref: ${{ github.event.pull_request.base.sha || github.event.before || github.sha }}
head-ref: ${{ github.event.pull_request.head.sha || github.sha }}
govulncheck:
name: govulncheck
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v6
with:
show-progress: false
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
check-latest: true
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: govulncheck (root module)
run: |
set +e
govulncheck -C . ./... 2>&1 | tee /tmp/vuln-root.txt
set -e
# Suppress accepted docker/docker vulns (not exploitable - only pkg/homedir used)
if grep -q "Vulnerability #" /tmp/vuln-root.txt; then
UNACCEPTED=$(grep "GO-" /tmp/vuln-root.txt | grep -v "GO-2026-4887\|GO-2026-4883" || true)
if [ -n "$UNACCEPTED" ]; then echo "::error::New vulnerabilities found"; exit 1; fi
fi
- name: govulncheck (credentialproviderpackage)
run: |
set +e
govulncheck -C credentialproviderpackage ./... 2>&1 | tee /tmp/vuln-cred.txt
set -e
if grep -q "Vulnerability #" /tmp/vuln-cred.txt; then
UNACCEPTED=$(grep "GO-" /tmp/vuln-cred.txt | grep -v "GO-2026-4887\|GO-2026-4883" || true)
if [ -n "$UNACCEPTED" ]; then echo "::error::New vulnerabilities found"; exit 1; fi
fi
- name: govulncheck (generatebundlefile)
run: |
set +e
govulncheck -C generatebundlefile ./... 2>&1 | tee /tmp/vuln-gen.txt
set -e
if grep -q "Vulnerability #" /tmp/vuln-gen.txt; then
UNACCEPTED=$(grep "GO-" /tmp/vuln-gen.txt | grep -v "GO-2026-4887\|GO-2026-4883" || true)
if [ -n "$UNACCEPTED" ]; then echo "::error::New vulnerabilities found"; exit 1; fi
fi
- name: govulncheck (ecrtokenrefresher)
run: |
set +e
govulncheck -C ecrtokenrefresher ./... 2>&1 | tee /tmp/vuln-ecr.txt
set -e
if grep -q "Vulnerability #" /tmp/vuln-ecr.txt; then
UNACCEPTED=$(grep "GO-" /tmp/vuln-ecr.txt | grep -v "GO-2026-4887\|GO-2026-4883" || true)
if [ -n "$UNACCEPTED" ]; then echo "::error::New vulnerabilities found"; exit 1; fi
fi