Skip to content

build: switch to toolchain-cicd/govulncheck-action #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rsoaresd merged 4 commits into from
Sep 2, 2025
Merged

build: switch to toolchain-cicd/govulncheck-action #483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6347957
fix
rsoaresd May 6, 2025
8565e07
Merge branch 'codeready-toolchain:master' into master
rsoaresd Jul 27, 2025
beefdef
Merge branch 'codeready-toolchain:master' into master
rsoaresd Sep 2, 2025
87705b3
build: switch to toolchain-cicd/govulncheck-action
Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/govulncheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ jobs:
go-version-file: go.mod

- name: Run govulncheck
uses: golang/govulncheck-action@v1
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
with:
go-version-input: ${{ steps.install-go.outputs.go-version }}
go-package: ./...
repo-checkout: false
go-version-file: go.mod
cache: false
config: .govulncheck.yaml
Comment on lines +22 to +26

@coderabbitai coderabbitai Bot Sep 2, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Pin the custom action to a commit SHA (avoid @master)

Reduce supply-chain risk by pinning to a specific commit.

-      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
+      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
with:
go-version-input: ${{ steps.install-go.outputs.go-version }}
go-package: ./...
repo-checkout: false
\ No newline at end of file
go-version-file: go.mod
cache: false
config: .govulncheck.yaml
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>
with:
go-version-file: go.mod
cache: false
config: .govulncheck.yaml
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 26-26: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents 
.github/workflows/govulncheck.yml lines 22-26: the workflow pins the govulncheck
action to @master which is unstable; change the uses entry to reference a
specific commit SHA (e.g.
codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>) instead of
@master, update any related docs/lockfile if needed, and commit the updated
workflow so CI uses the immutable action version.

7 changes: 7 additions & 0 deletions .govulncheck.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
ignored-vulnerabilities:
# Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall
# Found in: os@go1.22.12
# Fixed in: os@go1.23.10
- id: GO-2025-3750
silence-until: 2025-10-02
info: https://pkg.go.dev/vuln/GO-2025-3750
Comment on lines +1 to +7

@coderabbitai coderabbitai Bot Sep 2, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Confirm config schema compatibility

Double-check the action’s config schema supports:

  • top-level key: ignored-vulnerabilities
  • fields: id, silence-until (date), and optional info

If names differ (e.g., ignores), the action may silently ignore entries.

🌐 Web query:

What is the supported configuration schema for codeready-toolchain/toolchain-cicd/govulncheck-action? Does it accept an `ignored-vulnerabilities` list with `id`, `silence-until`, and `info` fields?

💡 Result:

Short answer: The upstream golang govulncheck-action does NOT support an ignored-vulnerabilities list or per‑vulnerability silence fields. Its README explicitly says there's no support for silencing findings. [1]

If you need that behavior, there are third‑party/custom govulncheck action forks that implement a .govulncheck(.x).yaml with an ignored-vulnerabilities list (examples show entries with id plus a silence_until / silence-until date and info link). These are not part of the official golang action. [2][3]

Sources:

  • Official govulncheck-action README (no support for silencing findings). [1]
  • Example custom action (govulncheckx / docs showing ignored-vulnerabilities + silence-until + info). [2][3]

References:
[1] golang/govulncheck-action README.
[2] xcoulon/govulncheckx-action docs (ignored-vulnerabilities example).
[3] libraries.io summary of xcoulon/govulncheckx-action.

Incompatible config: govulncheck-action doesn’t support ignored-vulnerabilities
The official golang govulncheck-action ignores any ignored-vulnerabilities list (and fields like silence-until or info) in .govulncheck.yaml; silencing entries isn’t supported. Either remove this section or switch to a fork (e.g. xcoulon/govulncheckx-action) that implements per-vulnerability silencing.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 7-7: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents 
In .govulncheck.yaml around lines 1 to 7 you have an ignored-vulnerabilities
block which govulncheck-action does not support (including fields like
silence-until and info); either remove the entire ignored-vulnerabilities
section from this file, or keep it only if you switch your GitHub Action to a
fork that supports per-vulnerability silencing (for example update your workflow
to use xcoulon/govulncheckx-action) and ensure the config format matches that
fork’s expectations (remove or adjust unsupported fields if you choose to keep
the file for another tool).

Loading