Refactored GitHub security workflows: swapped Trivy and GolangCI-Lint jobs, improved permission granularity, and aligned action versions.

AlphaOne1 · AlphaOne1 · commit d4b55ba77631 · 2026-03-08T18:21:08.000+01:00
Signed-off-by: Alexander Adam &lt;alphaone23@gmail.com&gt;
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -15,58 +15,60 @@ on:
 permissions: read-all
 
 jobs:
-    TrivyCode:
+    GolangCI:
         runs-on: ubuntu-latest
         permissions:
+            contents: read
             security-events: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
             with:
                 egress-policy: audit
 
-          - name: Checkout code
+          - name: Checkout
             uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            with:
+                fetch-depth: 1
 
-          - name: Run Trivy vulnerability scanner in repo mode
-            uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
+          - name: Run golangci-lint
+            uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
             with:
-                scan-type: 'fs'
-                ignore-unfixed: true
-                format: 'sarif'
-                output: 'trivy-results.sarif'
-                severity: 'CRITICAL'
+                version: latest
+                args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout
 
-          - name: Upload Trivy scan results to GitHub Security tab
+          - name: Upload golangci-lint results to GitHub Security tab
             uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
             with:
-                sarif_file: 'trivy-results.sarif'
+                sarif_file: golangci-lint-results.sarif
 
-    GolangciLint:
+    TrivyCode:
         runs-on: ubuntu-latest
         permissions:
+            contents: read
             security-events: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
             with:
                 egress-policy: audit
 
-          - name: Checkout
+          - name: Checkout code
             uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            with:
-                fetch-depth: 1
 
-          - name: Run golangci-lint
-            uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+          - name: Run Trivy vulnerability scanner in fs mode
+            uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
             with:
-                version: latest
-                args: --output.sarif.path=golangci-lint-results.sarif
+                scan-type: 'fs'
+                ignore-unfixed: true
+                format: 'sarif'
+                output: 'trivy-results.sarif'
+                severity: 'CRITICAL,HIGH'
 
-          - name: Upload golangci-lint results to GitHub Security tab
+          - name: Upload Trivy scan results to GitHub Security tab
             uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
             with:
-                sarif_file: golangci-lint-results.sarif
+                sarif_file: 'trivy-results.sarif'
 
     VulnerabilityCheck:
         strategy:
@@ -75,40 +77,34 @@ jobs:
                   - "stable"
         runs-on: ubuntu-latest
         permissions:
+            contents: read
             security-events: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
             with:
                 egress-policy: audit
 
-          - name: Checkout
-            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            with:
-                fetch-depth: 1
-
-          - name: VulnerabilityCheck
+          - name: Vulnerability Check
             uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
             with:
-                repo-checkout: false
                 go-version-input: ${{matrix.go-version}}
                 output-format: sarif
                 output-file: govulncheck-results.sarif
 
-          - name: PrintSarif
-            id: PrintSarif
+          - name: Print Sarif
+            id: printSarif
             run:  |
                 cat govulncheck-results.sarif
-
                 if grep results govulncheck-results.sarif
                 then
                     echo "hasResults=true" >> $GITHUB_OUTPUT
                 else
                     echo "hasResults=false" >> $GITHUB_OUTPUT
                 fi
 
-          - name: Upload govulncheck results to GitHub Security tab
-            if: ${{ steps.PrintSarif.outputs.hasResults == 'true' }}
+          - name: Upload govulncheck results to Security tab
+            if: ${{ steps.printSarif.outputs.hasResults == 'true' }}
             uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
             with:
                 sarif_file: govulncheck-results.sarif
