jetstack-secure/.github/workflows/govulncheck.yaml at 4445a6b01b4e59f43193b09e3ad083f102aac297 · jetstack/jetstack-secure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# This file is MANUALLY maintained, but was originally based on the makefile-modules govulncheck workflow. See the original:
# https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml

# This file is separated from the upstream file so we can add additional auth for pulling
# private dependencies. Govulncheck doesn't seem to be able to support skipping private
# dependencies.

# Run govulncheck at midnight every night on the main branch,
# to alert us to recent vulnerabilities which affect the Go code in this
# project.
name: govulncheck
on:
  workflow_dispatch: {}
  schedule:
    - cron: '0 0 * * *'

permissions:
  contents: read

jobs:
  govulncheck:
    runs-on: ubuntu-latest

    if: github.repository == 'jetstack/jetstack-secure'

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
        # the tags so `git describe` returns a valid version.
        # see https://github.com/actions/checkout/issues/701 for extra info about this option
        with: { fetch-depth: 0 }

      # NOTE: This step is the change from the upstream workflow.
      # We need credentials to pull the private dependency.
      - uses: ./.github/actions/repo_access
        with:
          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}

      - id: go-version
        run: |
          make print-go-version >> "$GITHUB_OUTPUT"

      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ steps.go-version.outputs.result }}

      - run: make verify-govulncheck