govulncheck: update Go before running the vuln checks (#161)

xcoulon · web-flow · commit bcdba76c12ff · 2025-12-11T11:19:17.000+01:00
The `entrypoint.sh` runs the `go mod verify` command which will download the version of Go matching the `toolchain` in `go.mod`. This requires the `GOTOOLCHAIN` env var to be set to `auto` This change sure that the vuln check is executed with the same version of Go as the one used to build the binary :) see https://go.dev/doc/toolchain also, upgrade the code and the builder image to Go 1.24 also, upgrade other GitHub actions to their latest versions also, rename the binary to `govulncheckx` to avoid mixing with the standard `govulncheck` tool --------- Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
diff --git a/.github/workflows/govulncheck-action-publish.yml b/.github/workflows/govulncheck-action-publish.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set short SHA
         id: short-sha
diff --git a/.github/workflows/govulncheck-action-test-lint.yml b/.github/workflows/govulncheck-action-test-lint.yml
@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version-file: govulncheck-action/go.mod
 
diff --git a/govulncheck-action/Containerfile b/govulncheck-action/Containerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23 as builder
+FROM golang:1.24 as builder
 
 ARG GOOS=linux 
 ARG GOARCH=amd64
@@ -7,14 +7,17 @@ WORKDIR /usr/src/app/
 
 COPY . .
 
-RUN echo "Building for govulncheck $GOOS/$GOARCH"
-RUN GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheck main.go
+RUN echo "Building govulncheckx binary for $GOOS/$GOARCH"
+RUN GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheckx main.go
 
-FROM golang:1.23
+FROM golang:1.24
 # using a fresh golang image without the `WORKDIR` from the builder stage
 # see https://docs.github.com/en/actions/reference/workflows-and-actions/dockerfile-support#workdir
+# using golang 1.24 but the entrypoint will trigger an install of the actual go version, 
+# even if it is 1.23 
 
 # copy the binary from the builder stage
-COPY --from=builder /usr/src/app/govulncheck /usr/local/bin/govulncheck
+COPY --from=builder /usr/src/app/govulncheckx /usr/local/bin/govulncheckx
+COPY --from=builder /usr/src/app/entrypoint.sh /usr/local/bin/entrypoint.sh
 
-ENTRYPOINT ["/usr/local/bin/govulncheck"]
+ENTRYPOINT ["entrypoint.sh"]
diff --git a/govulncheck-action/entrypoint.sh b/govulncheck-action/entrypoint.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# upgrade the go version to match the `toolchain` directive in the `go.mod` file
+# see https://go.dev/doc/toolchain
+export GOTOOLCHAIN=auto
+go mod verify
+
+# Check the version of Go
+go version
+
+# Run the govulncheck command
+govulncheckx "$@"
diff --git a/govulncheck-action/go.mod b/govulncheck-action/go.mod
@@ -1,8 +1,8 @@
 module github.com/codeready-toolchain/toolchain-cicd/govulncheck-action
 
-go 1.23.0
+go 1.24.0
 
-toolchain go1.23.12
+toolchain go1.24.11
 
 require (
 	github.com/spf13/cobra v1.9.1
