Scheduled govulncheck #222
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # "Govulncheck reports known vulnerabilities that affect Go code. | |
| # It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application." | |
| # | |
| # For more information see https://go.dev/blog/vuln and https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck | |
| name: 'Scheduled govulncheck' | |
| # run schedule every work day at 9:42 UTC | |
| on: | |
| schedule: | |
| - cron: '0,15,30,45 * * * 1-5' | |
| jobs: | |
| govulncheck_job: | |
| runs-on: ubuntu-latest | |
| name: Run govulncheck | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # CodeQL runs on these branches. Pattern matching doesn't work, so we need to add relevant branches manually. | |
| branches: | |
| - 'master' | |
| - 'V5.4' | |
| - 'V6.0' | |
| steps: | |
| - name: Checkout branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ matrix.branches }} | |
| - id: govulncheck | |
| uses: golang/govulncheck-action@v1 | |
| with: | |
| # TODO: This should probably run against the builder or runtime in the Dockerfile. | |
| # I don't think it is possible to detect those versions here, but maybe run against `go-version-input: 'stable'` | |
| # and detect container vulnerabilities in a different action? | |
| go-version-input: '' # remove default | |
| go-version-file: 'go.mod' | |
| go-package: ./... | |
| repo-checkout: false # will checkout the default branch if left on true | |
| output-format: 'text' # leave on the default since other values will always result in successful completion of the action. |