From ee685ca3fc5cac98b51eb1804c2be35385ffc8c2 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Tue, 25 Feb 2025 12:50:42 +0100 Subject: [PATCH 1/4] chore: add govulncheck to workflow --- .github/workflows/go.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 128e0bae8c5..b116f53b826 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -35,6 +35,7 @@ jobs: - name: Test without race detector (Windows) if: matrix.os == 'windows-latest' run: make test-ci + test-flaky: name: Test (flaky) runs-on: ubuntu-latest @@ -50,6 +51,7 @@ jobs: - name: Run flaky test run: make test-ci-flaky continue-on-error: ${{ github.ref == 'refs/heads/master' }} + lint: name: Lint runs-on: ubuntu-latest @@ -75,6 +77,7 @@ jobs: run: make check-whitespace - name: go mod tidy check uses: katexochen/go-tidy-check@v2 + coverage: name: Coverage Report if: github.ref == 'refs/heads/master' @@ -102,10 +105,27 @@ jobs: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true files: ./cover.out + + vuln-check: + name: Vulnerability Check + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Go + uses: actions/setup-go@v5 + with: + cache: true + go-version-file: go.mod + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + - name: Run govulncheck + run: govulncheck ./... + trigger-beekeeper: name: Trigger Beekeeper runs-on: ubuntu-latest - needs: [test, lint, coverage] + needs: [test, lint, coverage, vuln-check] if: github.ref == 'refs/heads/master' steps: - name: Checkout From e1d9051dce7fe9293e23c82b90994610d976209c Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Tue, 25 Feb 2025 12:57:59 +0100 Subject: [PATCH 2/4] chore: update workflow and use govulncheck-action --- .github/workflows/go.yml | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index b116f53b826..15de1026cfc 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -35,7 +35,6 @@ jobs: - name: Test without race detector (Windows) if: matrix.os == 'windows-latest' run: make test-ci - test-flaky: name: Test (flaky) runs-on: ubuntu-latest @@ -51,7 +50,6 @@ jobs: - name: Run flaky test run: make test-ci-flaky continue-on-error: ${{ github.ref == 'refs/heads/master' }} - lint: name: Lint runs-on: ubuntu-latest @@ -77,7 +75,6 @@ jobs: run: make check-whitespace - name: go mod tidy check uses: katexochen/go-tidy-check@v2 - coverage: name: Coverage Report if: github.ref == 'refs/heads/master' @@ -105,23 +102,16 @@ jobs: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true files: ./cover.out - vuln-check: name: Vulnerability Check runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup Go - uses: actions/setup-go@v5 + - id: govulncheck + uses: golang/govulncheck-action@v1 with: - cache: true go-version-file: go.mod - - name: Install govulncheck - run: go install golang.org/x/vuln/cmd/govulncheck@latest - - name: Run govulncheck - run: govulncheck ./... - + go-package: ./... + output-format: text trigger-beekeeper: name: Trigger Beekeeper runs-on: ubuntu-latest From ca4f95d007d24cafd77a6d2586f4f1dafd1454a7 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Tue, 25 Feb 2025 13:15:02 +0100 Subject: [PATCH 3/4] chore: add govulncheck to Makefile --- Makefile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Makefile b/Makefile index 4e5fcefef98..3fb9b56d89f 100644 --- a/Makefile +++ b/Makefile @@ -91,6 +91,14 @@ lint: linter linter: test -f $(GOLANGCI_LINT) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$($(GO) env GOPATH)/bin $(GOLANGCI_LINT_VERSION) +.PHONY: install-govulncheck +install-govulncheck: + @command -v govulncheck >/dev/null 2>&1 || go install golang.org/x/vuln/cmd/govulncheck@latest + +.PHONY: govulncheck +govulncheck: install-govulncheck binary + govulncheck -mode=binary ./dist/bee + .PHONY: check-whitespace check-whitespace: TREE=$$(git hash-object -t tree /dev/null); \ From e6b27589ddffad5061ed63db7ef0c9176a4c43fa Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Tue, 25 Feb 2025 13:38:13 +0100 Subject: [PATCH 4/4] chore: test govulncheck sarif format --- .github/workflows/go.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 15de1026cfc..c52a83f93e7 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -106,12 +106,21 @@ jobs: name: Vulnerability Check runs-on: ubuntu-latest steps: - - id: govulncheck + - name: Checkout repository + uses: actions/checkout@v4 + - name: Run govulncheck + id: govulncheck uses: golang/govulncheck-action@v1 with: go-version-file: go.mod go-package: ./... - output-format: text + output-format: sarif + output-file: govulncheck.sarif + - name: Upload SARIF to GitHub Code Scanning + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: govulncheck.sarif trigger-beekeeper: name: Trigger Beekeeper runs-on: ubuntu-latest