build: switch to toolchain-cicd/govulncheck-action#490
Conversation
WalkthroughReplaces the govulncheck GitHub Action with a different action source, updates its inputs to read Go version from go.mod, disables caching, and uses an explicit configuration file. Adds a new .govulncheck.yaml that suppresses three specific vulnerabilities until 2025-10-02. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant GH as GitHub Actions Runner
participant Action as govulncheck Action (toolchain-cicd@master)
participant Mod as go.mod
participant Cfg as .govulncheck.yaml
participant Tool as govulncheck
Dev->>GH: Push / PR triggers workflow
GH->>Action: Run govulncheck step
Action->>Mod: Read Go version (go-version-file)
Action->>Cfg: Load ignore configuration
Note over Action,Tool: Caching disabled (cache: false)
Action->>Tool: Invoke scan with config and resolved Go version
Tool-->>Action: Results (respecting ignored vulnerabilities)
Action-->>GH: Exit status and report
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #490 +/- ##
=======================================
Coverage 78.62% 78.62%
=======================================
Files 52 52
Lines 2638 2638
=======================================
Hits 2074 2074
Misses 502 502
Partials 62 62 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (5)
.govulncheck.yaml (3)
3-4: Fix duplicated words in comments (“Found in Found in” / “Fixed in Fixed in”).Minor polish for clarity.
- # Found in Found in: net/http/internal@go1.22.12 - # Fixed in Fixed in: net/http/internal@go1.23.8 + # Found in: net/http/internal@go1.22.12 + # Fixed in: net/http/internal@go1.23.8 @@ - # Found in Found in: os@go1.22.12 - # Fixed in Fixed in: os@go1.23.10 + # Found in: os@go1.22.12 + # Fixed in: os@go1.23.10 @@ - # Found in Found in: net/http@go1.22.12 - # Fixed in Fixed in: net/http@go1.23.10 + # Found in: net/http@go1.22.12 + # Fixed in: net/http@go1.23.10Also applies to: 9-10, 15-16
1-19: Add tracking context to each ignore.Consider adding a short justification and tracker (e.g., SANDBOX-1401) next to each ignored ID to document why it’s silenced and who owns the follow-up.
I can add concise “Tracking: SANDBOX-1401; upgrade blocked by Go <1.23.10” notes inline.
19-19: Add a trailing newline.YAMLlint flags missing EOF newline.
- id: GO-2025-3751 info: https://pkg.go.dev/vuln/GO-2025-3751 silence-until: 2025-10-02 +.github/workflows/govulncheck.yml (2)
24-26: Avoid double Go selection unless required by the action.You already install Go via setup-go using go.mod; passing go-version-file to the action may cause duplication or mismatch if behaviors diverge. If the action honors the existing toolchain on PATH, prefer removing its version selection.
with: - go-version-file: go.mod cache: false config: .govulncheck.yamlIf the action requires its own Go selection, keep as-is.
26-26: Add a trailing newline.YAMLlint flags missing EOF newline.
config: .govulncheck.yaml +
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
.github/workflows/govulncheck.yml(1 hunks).govulncheck.yaml(1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
.github/workflows/govulncheck.yml
[error] 26-26: no new line character at the end of file
(new-line-at-end-of-file)
.govulncheck.yaml
[error] 19-19: no new line character at the end of file
(new-line-at-end-of-file)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Verify Dependencies
- GitHub Check: GolangCI Lint
- GitHub Check: Test with Coverage
🔇 Additional comments (1)
.govulncheck.yaml (1)
5-7: Confirmed fixed Go versions and no backports; schedule upgrades before silence-until dates.
GO-2025-3563 is fixed in go1.23.8; GO-2025-3750 and GO-2025-3751 in go1.23.10; there are no Go 1.22.x backports—ensure upgrades to those Go releases are planned before their silence-until deadlines (e.g., 2025-10-02).
|
|
||
| - name: Run govulncheck | ||
| uses: golang/govulncheck-action@v1 | ||
| uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Pin the custom action to a tag or commit SHA (avoid @master).
Reduces supply-chain risk and ensures reproducible CI.
- uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
+ uses: codeready-toolchain/toolchain-cicd/govulncheck-action@v1
+# or pin to a specific commit:
+# uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master | |
| uses: codeready-toolchain/toolchain-cicd/govulncheck-action@v1 | |
| # or pin to a specific commit: | |
| # uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha> |
🤖 Prompt for AI Agents
.github/workflows/govulncheck.yml around line 22: the workflow references the
custom action with an unpinned ref (@master); replace the floating ref with a
specific released tag or a commit SHA (for example a vX.Y.Z tag or the action
repo's full commit SHA) to pin the action, update the workflow entry to use that
tag/SHA, and commit the change so CI uses the fixed version for reproducible and
lower-risk builds.
2 participants
Description
Currently, we only have our custom govulncheck-action enabled on wa, host-operator, member-operator, and registration-service. We need to enable it in the other repos (toolchain-e2e, toolchain-common, ...)
Why are we using our custom
toolchain-cicd/govulncheck-action?Unfortunately, govulncheck does not have a feature for ignoring the vulns. There is a feature request, but we do not know when it will be addressed. To avoid govulncheck failing in PRs, we implemented a workaround on toolchain-cicd to ignore vulnerabilities that do not have a fix available or require a higher Go version than we have.
Related PRs
codeready-toolchain/toolchain-e2e#1190
codeready-toolchain/api#483
kubesaw/ksctl#122
Issue ticket number and link
SANDBOX-1401