govulncheck-cron-schedule.yaml

# "Govulncheck reports known vulnerabilities that affect Go code.
#  It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application."
#
# For more information see https://go.dev/blog/vuln and https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
name: 'Scheduled govulncheck'

on:
  # run schedule every work day at 9:42 UTC
  schedule:
    - cron: '42 9 * * 1-5'
  # allow manually triggering workflow
  workflow_dispatch:

jobs:
  govulncheck_job:
    runs-on: ubuntu-latest
    name: Run govulncheck

    strategy:
      fail-fast: false
      matrix:
        # CodeQL runs on these branches. Pattern matching doesn't work, so we need to add relevant branches manually.
        branches:
          - 'master'
          - 'V5.4'
          - 'V6.0'

    steps:
      - name: Checkout branch
        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.branches }}

      - name: govulncheck
        uses: golang/govulncheck-action@v1
        with:
          go-version-input: '' # remove default to suppress github warning
          go-version-file: 'go.mod' # test against go.mod since 'stable' is not valid for older branches
          go-package: ./...
          repo-checkout: false # will auto-checkout the default branch if left on true
          output-format: 'text' # other values will always result in successful completion of the action, we need it fail on vulnerabilities

      - name: notify slack
        # this uses our own 'Github notifications' app in slack
        uses: slackapi/slack-github-action@v2.0.0
        if: ${{ failure() }} # only run this steps if one of the previous steps has failed
        with:
          webhook: ${{ secrets.SLACK_WEBHOOK_URL_NUTS_CORE_TEAM }} # webhook is linked to a specific slack channel
          webhook-type: incoming-webhook
          payload: |
            {
              "text": "GitHub Action failed",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "*Vulnerabilities detected on a production branch* :rotating_light:\n govulncheck detected vulnerabilities on one of the production branches.\n See workflow for more info."
                  }
                },
                {
                  "type": "actions",
                  "elements": [
                    {
                      "type": "button",
                      "text": {
                        "type": "plain_text",
                        "text": ":github: Failed workflow"
                      },
                      "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
                    }
                  ]
                }
              ]
            }