Skip to content

build: switch to toolchain-cicd/govulncheck-action #490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rsoaresd merged 2 commits into from
Sep 3, 2025
Merged

build: switch to toolchain-cicd/govulncheck-action #490

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ef7a8cc
build: switch to toolchain-cicd/govulncheck-action
Sep 2, 2025
00f1841
update
Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/govulncheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ jobs:
go-version-file: go.mod

- name: Run govulncheck
uses: golang/govulncheck-action@v1
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
Copy link

@coderabbitai coderabbitai bot Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Pin the custom action to a tag or commit SHA (avoid @master).

Reduces supply-chain risk and ensures reproducible CI.

-      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
+      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@v1
+# or pin to a specific commit:
+#     uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@v1
# or pin to a specific commit:
# uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>
🤖 Prompt for AI Agents 
.github/workflows/govulncheck.yml around line 22: the workflow references the
custom action with an unpinned ref (@master); replace the floating ref with a
specific released tag or a commit SHA (for example a vX.Y.Z tag or the action
repo's full commit SHA) to pin the action, update the workflow entry to use that
tag/SHA, and commit the change so CI uses the fixed version for reproducible and
lower-risk builds.

with:
go-version-input: ${{ steps.install-go.outputs.go-version }}
go-package: ./...
repo-checkout: false
go-version-file: go.mod
cache: false
config: .govulncheck.yaml
19 changes: 19 additions & 0 deletions .govulncheck.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
ignored-vulnerabilities:
# Request smuggling due to acceptance of invalid chunked data in net/http
# Found in Found in: net/http/internal@go1.22.12
# Fixed in Fixed in: net/http/internal@go1.23.8
- id: GO-2025-3563
info: https://pkg.go.dev/vuln/GO-2025-3563
silence-until: 2025-10-02
# Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall
# Found in Found in: os@go1.22.12
# Fixed in Fixed in: os@go1.23.10
- id: GO-2025-3750
info: https://pkg.go.dev/vuln/GO-2025-3750
silence-until: 2025-10-02
# Sensitive headers not cleared on cross-origin redirect in net/http
# Found in Found in: net/http@go1.22.12
# Fixed in Fixed in: net/http@go1.23.10
- id: GO-2025-3751
info: https://pkg.go.dev/vuln/GO-2025-3751
silence-until: 2025-10-02
Loading