Skip to content
govulncheck

govulncheck #418

Sign in to view logs

govulncheck

govulncheck #418

Workflow file for this run

.github/workflows/govulncheck.yaml at a6b5795
# This file is MANUALLY maintained, but was originally based on the makefile-modules govulncheck workflow. See the original:
# https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml
# This file is separated from the upstream file so we can add additional auth for pulling
# private dependencies. Govulncheck doesn't seem to be able to support skipping private
# dependencies.
# Run govulncheck at midnight every night on the main branch,
# to alert us to recent vulnerabilities which affect the Go code in this
# project.
name: govulncheck
on:
workflow_dispatch: {}
schedule:
- cron: '0 0 * * *'
permissions:
contents: read
jobs:
govulncheck:
runs-on: ubuntu-latest
if: github.repository == 'jetstack/jetstack-secure'
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
# Adding `fetch-depth: 0` makes sure tags are also fetched. We need
# the tags so `git describe` returns a valid version.
# see https://github.com/actions/checkout/issues/701 for extra info about this option
with: { fetch-depth: 0 }
# NOTE: This step is the change from the upstream workflow.
# We need credentials to pull the private dependency.
- uses: ./.github/actions/repo_access
with:
DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
- id: go-version
run: |
make print-go-version >> "$GITHUB_OUTPUT"
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: ${{ steps.go-version.outputs.result }}
- run: make verify-govulncheck