Skip to content

[pull] trunk from cli:trunk #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 3 commits into from
Jul 23, 2025
+49 −3
Merged

[pull] trunk from cli:trunk #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bd6b862
Incorporate govulncheck into workflows
andyfeller Jul 18, 2025
4da24b8
Limit permissions of govulncheck workflow
andyfeller Jul 21, 2025
7dffc39
Merge pull request #11332 from cli/andyfeller/11209-automate-govulncheck
andyfeller Jul 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/workflows/govulncheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Go Vulnerability Check
on:
schedule:
- cron: "0 0 * * 1" # Every Monday at midnight UTC
jobs:
govulncheck:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'

# `govulncheck -format sarif` exits successfully regardless of results, which are not in stdout.
# See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
- name: Check Go vulnerabilities
run: |
make
go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary -format sarif bin/gh > gh.sarif

- name: Upload SARIF report
uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # 2.22.1
with:
sarif_file: gh.sarif
22 changes: 19 additions & 3 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,11 @@ on:
- go.sum
- ".github/licenses.tmpl"
- "script/licenses*"

permissions:
contents: read

jobs:
lint:
runs-on: ubuntu-latest

steps:
- name: Check out code
uses: actions/checkout@v4
Expand Down Expand Up @@ -64,3 +61,22 @@ jobs:
export PATH=${GOROOT}/bin:$PATH
go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
make licenses-check

# Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
govulncheck:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'

# `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
# See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
- name: Check Go vulnerabilities
run: |
make
go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary bin/gh
Loading