From bd6b862b63ebe0752ba15026bd040c175d1ae854 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Fri, 18 Jul 2025 17:03:39 -0400
Subject: [PATCH 1/2] Incorporate govulncheck into workflows

---
 .github/workflows/govulncheck.yml | 27 +++++++++++++++++++++++++++
 .github/workflows/lint.yml        | 20 +++++++++++++++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/govulncheck.yml

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
new file mode 100644
index 000000000..ada58c550
--- /dev/null
+++ b/.github/workflows/govulncheck.yml
@@ -0,0 +1,27 @@
+name: Go Vulnerability Check
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Every Monday at midnight UTC
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      # `govulncheck -format sarif` exits successfully regardless of results, which are not in stdout.
+      # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
+      - name: Check Go vulnerabilities
+        run: |
+          make
+          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary -format sarif bin/gh > gh.sarif
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # 2.22.1
+        with:
+          sarif_file: gh.sarif
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0b5d18882..771362b44 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -23,7 +23,6 @@ permissions:
 jobs:
   lint:
     runs-on: ubuntu-latest
-
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -64,3 +63,22 @@ jobs:
           export PATH=${GOROOT}/bin:$PATH
           go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
           make licenses-check
+
+  # Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      # `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
+      # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
+      - name: Check Go vulnerabilities
+        run: |
+          make
+          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary bin/gh

From 4da24b8a0ca3361360e81adf8dfb4e32c325af1f Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Mon, 21 Jul 2025 08:44:58 -0400
Subject: [PATCH 2/2] Limit permissions of govulncheck workflow

---
 .github/workflows/govulncheck.yml | 3 +++
 .github/workflows/lint.yml        | 2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index ada58c550..42d94077c 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -5,6 +5,9 @@ on:
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Check out code
         uses: actions/checkout@v4
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 771362b44..5281a46d0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -16,10 +16,8 @@ on:
       - go.sum
       - ".github/licenses.tmpl"
       - "script/licenses*"
-
 permissions:
   contents: read
-
 jobs:
   lint:
     runs-on: ubuntu-latest