Skip to content

[CI/CD] Add govulncheck to CI#1416

Merged
sean-breen merged 17 commits intomainfrom
add-govulncheck
Dec 11, 2025
Merged

[CI/CD] Add govulncheck to CI#1416
sean-breen merged 17 commits intomainfrom
add-govulncheck

Conversation

@sean-breen
Copy link
Contributor

@sean-breen sean-breen commented Nov 25, 2025
edited
Loading

Proposed changes

Adds the govulncheck action to our CI workflow to catch and report vulnerabilities to the Security tab.

Also adds a nightly-scans.yml workflow to run the vulnerability scan nightly against main and dev-v2 branches.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING document
  • I have run make install-tools and have attached any dependency changes to this pull request
  • If applicable, I have added tests that prove my fix is effective or that my feature works
  • If applicable, I have checked that any relevant tests pass after adding my changes
  • If applicable, I have updated any relevant documentation (README.md)
  • If applicable, I have tested my cross-platform changes on Ubuntu 22, Redhat 8, SUSE 15 and FreeBSD 13

@codecov
Copy link

codecov bot commented Nov 25, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.31%. Comparing base (543e7c6) to head (9f3e629).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1416   +/-   ##
=======================================
  Coverage   85.31%   85.31%           
=======================================
  Files         102      102           
  Lines       12972    12972           
=======================================
  Hits        11067    11067           
  Misses       1418     1418           
  Partials      487      487

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 543e7c6...9f3e629. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sean-breen sean-breen marked this pull request as ready for review November 27, 2025 11:12
@sean-breen sean-breen requested a review from a team as a code owner November 27, 2025 11:12
dhurley
dhurley reviewed Nov 27, 2025
View reviewed changes
.github/workflows/ci.yml Outdated
security-events: write
with:
target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
go-version-input: '1.24.10'
Copy link
Collaborator

@dhurley dhurley Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to get the golang version from the go.mod file like how we do it for the setup-go action on line 72?

.github/workflows/nightly-scans.yml Outdated
uses: ./.github/workflows/vulncheck.yml
with:
target-branch: 'dev-v2'
go-version-input: '1.24.10'
Copy link
Collaborator

@dhurley dhurley Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agent V2 is actually on 1.24.9 at the moment. So we need to be able to get the version from the go.mod instead of hardcoding it into the workflows

Copy link
Contributor Author

@sean-breen sean-breen Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a check where we read the go version from the go.mod

@sean-breen sean-breen requested a review from dhurley November 27, 2025 14:49
dhurley
dhurley reviewed Nov 27, 2025
View reviewed changes
.github/workflows/vulncheck.yml Outdated
on:
workflow_call:
inputs:
go-version-input:
Copy link
Collaborator

@dhurley dhurley Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can the go-version-input inputs be removed now?

Copy link
Contributor Author

@sean-breen sean-breen Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed

@sean-breen sean-breen requested a review from dhurley December 8, 2025 10:56
@sean-breen sean-breen merged commit bb30122 into main Dec 11, 2025
68 of 70 checks passed
@sean-breen sean-breen deleted the add-govulncheck branch December 11, 2025 10:48
Akshay2191 pushed a commit that referenced this pull request Dec 18, 2025
@sean-breen @Akshay2191
[CI/CD] Add govulncheck to CI (#1416)
b518fdb 
* [skip ci] add govulncheck workflow

* add vulncheck workflow, call from CI.yml, and allow dispatch

* add nightly-scans.yml workflow

* checkout

* checkout via ref name

* fix calling workflow

* fix startup failure

* Add missing permission for security_events

* add check for go version in go.mod

* fix setting of output from go version step

* use toolchain version

* remove go version input ot reusable workflow, no longer needed

* remove input field
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhurley dhurley dhurley approved these changes

@spencerugbo spencerugbo spencerugbo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sean-breen @dhurley @spencerugbo