build: switch to toolchain-cicd/govulncheck-action

[rsoaresd]

Description

Currently, we only have our custom govulncheck-action enabled on wa, host-operator, member-operator, and registration-service. We need to enable it in the other repos (toolchain-e2e, toolchain-common, ...)

Why are we using our custom toolchain-cicd/govulncheck-action?

Unfortunately, govulncheck does not have a feature for ignoring the vulns. There is a feature request, but we do not know when it will be addressed. To avoid govulncheck failing in PRs, we implemented a workaround on toolchain-cicd to ignore vulnerabilities that do not have a fix available or require a higher Go version than we have.

Related PRs

codeready-toolchain/toolchain-e2e#1190
codeready-toolchain/api#483
kubesaw/ksctl#122

Issue ticket number and link

SANDBOX-1401

[coderabbitai]

Walkthrough

Replaces the govulncheck GitHub Action with a different action source, updates its inputs to read Go version from go.mod, disables caching, and uses an explicit configuration file. Adds a new .govulncheck.yaml that suppresses three specific vulnerabilities until 2025-10-02.

Changes

Cohort / File(s)	Summary
CI workflow: govulncheck action switch and inputs .github/workflows/govulncheck.yml	Switched action from golang/govulncheck-action@v1 to codeready-toolchain/toolchain-cicd/govulncheck-action@master; removed go-version-input, go-package, and repo-checkout; added go-version-file: go.mod, cache: false, and config: .govulncheck.yaml.
Govulncheck configuration .govulncheck.yaml	New config file defining ignored-vulnerabilities with IDs GO-2025-3563, GO-2025-3750, GO-2025-3751, each with info links and silence-until: 2025-10-02.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions Runner
  participant Action as govulncheck Action (toolchain-cicd@master)
  participant Mod as go.mod
  participant Cfg as .govulncheck.yaml
  participant Tool as govulncheck

  Dev->>GH: Push / PR triggers workflow
  GH->>Action: Run govulncheck step
  Action->>Mod: Read Go version (go-version-file)
  Action->>Cfg: Load ignore configuration
  Note over Action,Tool: Caching disabled (cache: false)
  Action->>Tool: Invoke scan with config and resolved Go version
  Tool-->>Action: Results (respecting ignored vulnerabilities)
  Action-->>GH: Exit status and report

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hop through YAML fields at night,
Swap one action for another—quite light.
A nibble of config, three squeaks to ignore,
Until October’s moon peeks o’er the door.
Thump-thump: CI runs clean and quick—
Carrot-shaped checks, neat and slick. 🥕✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.62%. Comparing base (76384e2) to head (00f1841).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #490   +/-   ##
=======================================
  Coverage   78.62%   78.62%           
=======================================
  Files          52       52           
  Lines        2638     2638           
=======================================
  Hits         2074     2074           
  Misses        502      502           
  Partials       62       62           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

.govulncheck.yaml (3)

3-4: Fix duplicated words in comments (“Found in Found in” / “Fixed in Fixed in”).

Minor polish for clarity.

-  # Found in Found in: net/http/internal@go1.22.12
-  # Fixed in Fixed in: net/http/internal@go1.23.8
+  # Found in: net/http/internal@go1.22.12
+  # Fixed in: net/http/internal@go1.23.8
@@
-  # Found in Found in: os@go1.22.12
-  # Fixed in Fixed in: os@go1.23.10
+  # Found in: os@go1.22.12
+  # Fixed in: os@go1.23.10
@@
-  # Found in Found in: net/http@go1.22.12
-  # Fixed in Fixed in: net/http@go1.23.10
+  # Found in: net/http@go1.22.12
+  # Fixed in: net/http@go1.23.10

Also applies to: 9-10, 15-16

---

1-19: Add tracking context to each ignore.

Consider adding a short justification and tracker (e.g., SANDBOX-1401) next to each ignored ID to document why it’s silenced and who owns the follow-up.

I can add concise “Tracking: SANDBOX-1401; upgrade blocked by Go <1.23.10” notes inline.

---

19-19: Add a trailing newline.

YAMLlint flags missing EOF newline.

   - id: GO-2025-3751
     info: https://pkg.go.dev/vuln/GO-2025-3751
     silence-until: 2025-10-02
+

.github/workflows/govulncheck.yml (2)

24-26: Avoid double Go selection unless required by the action.

You already install Go via setup-go using go.mod; passing go-version-file to the action may cause duplication or mismatch if behaviors diverge. If the action honors the existing toolchain on PATH, prefer removing its version selection.

       with:
-        go-version-file: go.mod
         cache: false
         config: .govulncheck.yaml

If the action requires its own Go selection, keep as-is.

---

26-26: Add a trailing newline.

YAMLlint flags missing EOF newline.

         config: .govulncheck.yaml
+

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 76384e2 and 00f1841.

📒 Files selected for processing (2)

• .github/workflows/govulncheck.yml (1 hunks)
• .govulncheck.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/govulncheck.yml

[error] 26-26: no new line character at the end of file

(new-line-at-end-of-file)

.govulncheck.yaml

[error] 19-19: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Verify Dependencies
• GitHub Check: GolangCI Lint
• GitHub Check: Test with Coverage

🔇 Additional comments (1)

.govulncheck.yaml (1)

5-7: Confirmed fixed Go versions and no backports; schedule upgrades before silence-until dates.
GO-2025-3563 is fixed in go1.23.8; GO-2025-3750 and GO-2025-3751 in go1.23.10; there are no Go 1.22.x backports—ensure upgrades to those Go releases are planned before their silence-until deadlines (e.g., 2025-10-02).

[coderabbitai]

🛠️ Refactor suggestion

Pin the custom action to a tag or commit SHA (avoid @master).

Reduces supply-chain risk and ensures reproducible CI.

-      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
+      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@v1
+# or pin to a specific commit:
+#     uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
	uses: codeready-toolchain/toolchain-cicd/govulncheck-action@v1
	# or pin to a specific commit:
	# uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>

🤖 Prompt for AI Agents

.github/workflows/govulncheck.yml around line 22: the workflow references the
custom action with an unpinned ref (@master); replace the floating ref with a
specific released tag or a commit SHA (for example a vX.Y.Z tag or the action
repo's full commit SHA) to pin the action, update the workflow entry to use that
tag/SHA, and commit the change so CI uses the fixed version for reproducible and
lower-risk builds.