deps(actions): bump actions/setup-node from 4.4.0 to 6.4.0 #2673
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================= | |
| # NFTBan - Secure Go | |
| # ============================================================================= | |
| # SPDX-License-Identifier: MPL-2.0 | |
| name: Secure Go | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| concurrency: | |
| group: secure-go-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| security-events: write # needed to upload SARIF | |
| actions: read | |
| jobs: | |
| filter: | |
| name: Detect Go changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| go_changed: ${{ steps.filter.outputs.go }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - id: filter | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| with: | |
| filters: | | |
| go: | |
| - '**/*.go' | |
| - 'go.mod' | |
| - 'go.sum' | |
| - 'cmd/**' | |
| - 'pkg/**' | |
| - 'internal/**' | |
| analyze: | |
| name: Go Security Analysis | |
| needs: filter | |
| if: needs.filter.outputs.go_changed == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Set up Go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.6.0 | |
| with: | |
| go-version: '1.25' | |
| - name: Cache Go build | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0 | |
| with: | |
| path: | | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: ${{ runner.os }}-go- | |
| - name: Verify modules tidy | |
| run: | | |
| go mod tidy | |
| git diff --exit-code || (echo "::error ::Run 'go mod tidy' locally and commit changes" && exit 1) | |
| - name: Build | |
| run: go build ./... | |
| - name: Unit tests (race + coverage) | |
| run: go test -race -cover -v ./... | |
| # ---- Staticcheck: Go code quality ---- | |
| - name: Install staticcheck | |
| run: go install honnef.co/go/tools/cmd/staticcheck@v0.7.0 | |
| - name: Run staticcheck | |
| run: $(go env GOPATH)/bin/staticcheck ./... | |
| # ---- Gosec: security lint with SARIF upload ---- | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@v2.22.0 | |
| - name: Run gosec (SARIF) | |
| run: $(go env GOPATH)/bin/gosec -nosec -fmt sarif -out gosec.sarif ./... || true | |
| - name: Fix gosec SARIF relationships | |
| run: | | |
| # gosec produces invalid SARIF with string relationships instead of objects | |
| # Fix: remove invalid relationships arrays or convert to valid format | |
| python3 << 'PY' | |
| import json | |
| try: | |
| with open('gosec.sarif', 'r') as f: | |
| sarif = json.load(f) | |
| # Fix relationships in rules - must be array of objects, not strings | |
| for run in sarif.get('runs', []): | |
| driver = run.get('tool', {}).get('driver', {}) | |
| for rule in driver.get('rules', []): | |
| if 'relationships' in rule: | |
| # Remove invalid relationships (gosec outputs strings instead of objects) | |
| del rule['relationships'] | |
| with open('gosec.sarif', 'w') as f: | |
| json.dump(sarif, f, indent=2) | |
| print("Fixed gosec SARIF relationships") | |
| except Exception as e: | |
| print(f"Warning: Could not fix SARIF: {e}") | |
| PY | |
| - name: Upload gosec SARIF | |
| uses: github/codeql-action/upload-sarif@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3 | |
| with: | |
| sarif_file: gosec.sarif | |
| category: gosec | |
| # ---- govulncheck: vulnerability intelligence with SARIF ---- | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| - name: Run govulncheck (JSON) | |
| run: $(go env GOPATH)/bin/govulncheck -json ./... > govulncheck.json || true | |
| - name: Convert govulncheck to SARIF | |
| run: | | |
| python3 << 'PY' | |
| import json | |
| import sys | |
| try: | |
| with open('govulncheck.json', 'r') as f: | |
| findings = [json.loads(line) for line in f if line.strip()] | |
| results = [] | |
| for finding in findings: | |
| if finding.get('finding'): | |
| vuln = finding['finding'] | |
| osv = vuln.get('osv', {}) | |
| results.append({ | |
| "ruleId": osv.get('id', 'UNKNOWN'), | |
| "message": {"text": osv.get('summary', 'Vulnerability detected')}, | |
| "level": "warning", | |
| "locations": [{ | |
| "physicalLocation": { | |
| "artifactLocation": {"uri": "go.mod"}, | |
| "region": {"startLine": 1, "startColumn": 1} | |
| } | |
| }] | |
| }) | |
| sarif = { | |
| "version": "2.1.0", | |
| "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", | |
| "runs": [{ | |
| "tool": { | |
| "driver": { | |
| "name": "govulncheck", | |
| "informationUri": "https://golang.org/x/vuln/cmd/govulncheck", | |
| "version": "latest" | |
| } | |
| }, | |
| "results": results | |
| }] | |
| } | |
| with open('govulncheck.sarif', 'w') as f: | |
| json.dump(sarif, f, indent=2) | |
| except Exception as e: | |
| print(f"Error converting govulncheck to SARIF: {e}", file=sys.stderr) | |
| # Create empty SARIF if conversion fails | |
| sarif = { | |
| "version": "2.1.0", | |
| "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", | |
| "runs": [{ | |
| "tool": { | |
| "driver": { | |
| "name": "govulncheck", | |
| "informationUri": "https://golang.org/x/vuln/cmd/govulncheck", | |
| "version": "latest" | |
| } | |
| }, | |
| "results": [] | |
| }] | |
| } | |
| with open('govulncheck.sarif', 'w') as f: | |
| json.dump(sarif, f, indent=2) | |
| PY | |
| - name: Upload govulncheck SARIF | |
| uses: github/codeql-action/upload-sarif@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3 | |
| with: | |
| sarif_file: govulncheck.sarif | |
| category: govulncheck | |
| # ---- Trivy: filesystem vulnerability scanning ---- | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1 | |
| continue-on-error: true # Don't fail workflow if Trivy has issues | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy.sarif' | |
| severity: 'HIGH,CRITICAL' | |
| exit-code: '0' # Report findings but don't fail workflow | |
| - name: Upload Trivy SARIF | |
| uses: github/codeql-action/upload-sarif@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3 | |
| if: always() && hashFiles('trivy.sarif') != '' | |
| with: | |
| sarif_file: trivy.sarif | |
| category: trivy | |
| # ---- Generate security summary ---- | |
| - name: Generate security summary | |
| if: always() | |
| run: | | |
| echo "## Go Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Tools Run" >> $GITHUB_STEP_SUMMARY | |
| echo "- ✅ **staticcheck**: Go code quality and bug detection" >> $GITHUB_STEP_SUMMARY | |
| echo "- ✅ **gosec**: Security vulnerability scanner" >> $GITHUB_STEP_SUMMARY | |
| echo "- ✅ **govulncheck**: Go vulnerability database scanner" >> $GITHUB_STEP_SUMMARY | |
| echo "- ✅ **trivy**: Filesystem vulnerability scanner (HIGH/CRITICAL)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Results" >> $GITHUB_STEP_SUMMARY | |
| echo "Check the Security → Code scanning alerts tab for detailed findings." >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Verification" >> $GITHUB_STEP_SUMMARY | |
| echo "All Go code has been analyzed for:" >> $GITHUB_STEP_SUMMARY | |
| echo "- Known CVEs in dependencies (govulncheck)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Insecure coding patterns (gosec)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Code quality issues (staticcheck)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Race conditions (go test -race)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Filesystem vulnerabilities (trivy)" >> $GITHUB_STEP_SUMMARY | |
| # Required-check pass-through for non-Go PRs | |
| # When paths-filter skips the analyze job, this ensures the required check still passes | |
| secure-go-gate: | |
| name: Build, Test, Scan (Go) | |
| if: always() | |
| needs: [filter, analyze] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Evaluate result | |
| run: | | |
| if [[ "${{ needs.filter.outputs.go_changed }}" != "true" ]]; then | |
| echo "No Go changes detected — security scan skipped (OK)" | |
| exit 0 | |
| fi | |
| if [[ "${{ needs.analyze.result }}" == "failure" ]]; then | |
| echo "::error::Go security analysis failed" | |
| exit 1 | |
| fi | |
| if [[ "${{ needs.analyze.result }}" == "cancelled" ]]; then | |
| echo "::error::Go security analysis was cancelled" | |
| exit 1 | |
| fi | |
| echo "Go security analysis passed" |