Merge pull request #11332 from cli/andyfeller/11209-automate-govulncheck

Incorporate govulncheck into workflows
2025-07-23 10:56:51 -04:00 · 2025-07-23 10:56:51 -04:00 · 7dffc39c33
commit 7dffc39c33
parent 43e76099a5 4da24b8a0c
2 changed files with 49 additions and 3 deletions
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@ -0,0 +1,30 @@
+name: Go Vulnerability Check
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Every Monday at midnight UTC
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      # `govulncheck -format sarif` exits successfully regardless of results, which are not in stdout.
+      # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
+      - name: Check Go vulnerabilities
+        run: |
+          make
+          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary -format sarif bin/gh > gh.sarif
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # 2.22.1
+        with:
+          sarif_file: gh.sarif
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -16,14 +16,11 @@ on:
      - go.sum
      - ".github/licenses.tmpl"
      - "script/licenses*"
-
 permissions:
  contents: read
-
 jobs:
  lint:
    runs-on: ubuntu-latest
-
    steps:
      - name: Check out code
        uses: actions/checkout@v4
@ -64,3 +61,22 @@ jobs:
          export PATH=${GOROOT}/bin:$PATH
          go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
          make licenses-check
+
+  # Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      # `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
+      # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
+      - name: Check Go vulnerabilities
+        run: |
+          make
+          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary bin/gh