Scheduled govulncheck #238
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # "Govulncheck reports known vulnerabilities that affect Go code. | |
| # It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application." | |
| # | |
| # For more information see https://go.dev/blog/vuln and https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck | |
| name: 'Scheduled govulncheck' | |
| on: | |
| # run schedule every work day at 9:42 UTC | |
| schedule: | |
| - cron: '42 9 * * 1-5' | |
| # allow manually triggering workflow | |
| workflow_dispatch: | |
| jobs: | |
| govulncheck_job: | |
| runs-on: ubuntu-latest | |
| name: Run govulncheck | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # CodeQL runs on these branches. Pattern matching doesn't work, so we need to add relevant branches manually. | |
| branches: | |
| - 'master' | |
| - 'V5.4' | |
| - 'V6.0' | |
| steps: | |
| - name: Checkout branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ matrix.branches }} | |
| - name: govulncheck | |
| uses: golang/govulncheck-action@v1 | |
| with: | |
| go-version-input: '' # remove default to suppress github warning | |
| go-version-file: 'go.mod' # test against go.mod since 'stable' is not valid for older branches | |
| go-package: ./... | |
| repo-checkout: false # will auto-checkout the default branch if left on true | |
| output-format: 'text' # other values will always result in successful completion of the action, we need it fail on vulnerabilities | |
| - name: notify slack | |
| # this uses our own 'Github notifications' app in slack | |
| uses: slackapi/[email protected] | |
| if: ${{ failure() }} # only run this steps if one of the previous steps has failed | |
| with: | |
| webhook: ${{ secrets.SLACK_WEBHOOK_URL_NUTS_CORE_TEAM }} # webhook is linked to a specific slack channel | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "text": "GitHub Action failed", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Vulnerabilities detected on a production branch* :rotating_light:\n govulncheck detected vulnerabilities on one of the production branches.\n See workflow for more info." | |
| } | |
| }, | |
| { | |
| "type": "actions", | |
| "elements": [ | |
| { | |
| "type": "button", | |
| "text": { | |
| "type": "plain_text", | |
| "text": ":github: Failed workflow" | |
| }, | |
| "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| } | |
| ] | |
| } | |
| ] | |
| } |