Skip to content

Commit 1a275bf

Browse files
sean-breensean-breen
committed
add vulncheck workflow, call from CI.yml, and allow dispatch
1 parent 9b85fa7 commit 1a275bf

File tree

2 files changed

+40
-17
lines changed

2 files changed

+40
-17
lines changed

.github/workflows/ci.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,15 @@ jobs:
8282
with:
8383
version: v2.4.0
8484

85+
vulnerability-scan:
86+
name: Vulnerability Scan
87+
runs-on: ubuntu-22.04
88+
steps:
89+
- uses: ./.github/workflows/vulncheck.yml
90+
with:
91+
go-version-input: '1.24.10'
92+
targetBranch: 'main'
93+
8594
unit-test:
8695
name: Unit Tests
8796
runs-on: ubuntu-22.04

.github/workflows/vulncheck.yml

Lines changed: 31 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,43 @@
11
name: vulncheck.yaml
22
on:
3-
push:
4-
branches:
5-
- main
6-
- dev-v2
7-
- 'release-*'
83
schedule:
9-
- 0 0 * * *
4+
- cron: "0 0 * * *" # daily at midnight UTC
5+
workflow_call:
6+
inputs:
7+
go-version-input:
8+
description: 'Go version to use for vulncheck'
9+
type: string
10+
required: false
11+
default: '1.24.10'
12+
targetBranch:
13+
description: 'Target branch to run vulncheck against'
14+
type: string
15+
required: false
16+
default: 'main'
1017
workflow_dispatch:
18+
inputs:
19+
go-version-input:
20+
description: 'Go version to use for vulncheck'
21+
required: false
22+
default: '1.24.10'
23+
targetBranch:
24+
description: 'Target branch to run vulncheck against'
25+
required: false
26+
default: 'main'
1127

1228
jobs:
1329
vulncheck:
1430
name: Vulnerability Check
15-
runs-on: ubuntu-amd64
31+
runs-on: ubuntu-22.04
32+
permissions:
33+
security-events: write # for reporting vulnerabilities via code-scanning API
1634
steps:
1735
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
18-
19-
- name: Set up Go
20-
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
2136
with:
22-
go-version-file: go.mod
23-
cache: false
24-
25-
- name: Install govulncheck
26-
run: go install golang.org/x/vuln/cmd/vulncheck@latest
37+
fetch-depth: 0
38+
ref: ${{ inputs.targetBranch || 'main' }}
2739

28-
- name: Run vulncheck
29-
run: govulncheck ./...
40+
- id: govulncheck
41+
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
42+
with:
43+
go-version-input: ${{ inputs.go-version-input || '1.24.10' }}

0 commit comments

Comments
 (0)