ci: Add govulncheck workflow (tendermint#9903) (tendermint#9915)

mergify[bot] · thanethomson · web-flow · commit 69e96f171b76 · 2022-12-19T09:53:14.000-05:00
* Add vulncheck target to Makefile Signed-off-by: Thane Thomson <connect@thanethomson.com> * ci: Add govulncheck workflow Signed-off-by: Thane Thomson <connect@thanethomson.com> Signed-off-by: Thane Thomson <connect@thanethomson.com> (cherry picked from commit 8b7ae93) Co-authored-by: Thane Thomson <connect@thanethomson.com>
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -0,0 +1,31 @@
+name: Check for Go vulnerabilities
+# Runs https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to proactively
+# check for vulnerabilities in code packages if there were any changes made to
+# any Go code or dependencies.
+#
+# Run `make vulncheck` from the root of the repo to run this workflow locally.
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release/**
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.18"
+      - uses: actions/checkout@v3
+      - uses: technote-space/get-diff-action@v6
+        with:
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            Makefile
+      - name: govulncheck
+        run: make vulncheck
+        if: "env.GIT_DIFF != ''"
diff --git a/Makefile b/Makefile
@@ -203,6 +203,10 @@ lint:
 	@go run github.com/golangci/golangci-lint/cmd/golangci-lint run
 .PHONY: lint
 
+vulncheck:
+	@go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+.PHONY: vulncheck
+
 DESTINATION = ./index.html.md
 
 ###############################################################################
