chore(all): add govulncheck workflow (#2774)

Add a workflow to run govulncheck regularly and create an issue if any
vulnerability is found.

Example issue: #2777

Fixes #2736

Author: JoeWang1127

.github/workflows/govulcheck.yaml.yml

@@ -0,0 +1,54 @@
+name: 'Govulncheck Scan & Issue Creator'
+on:
+  schedule:
+    # 8:00 every day.
+    - cron: '0 8 * * *'
+jobs:
+  scan-and-report:
+    name: Run govulncheck and Create Issue
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read # To check out code
+      issues: write # To create issues
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run govulncheck and count findings
+        id: govulncheck-scan
+        run: |
+          # Run with -json (which never fails) and save to a file
+          govulncheck -json ./... > results.json
+          # Count the number of findings using jq.
+          COUNT=$(jq -s 'length' results.json)
+          echo "Found $COUNT vulnerabilities."
+          # Set an output for the next steps to use
+          echo "vuln_count=$COUNT" >> $GITHUB_OUTPUT
+      - name: Upload scan results artifact
+        if: steps.govulncheck-scan.outputs.vuln_count > 0
+        uses: actions/upload-artifact@v4
+        with:
+          name: govulncheck-results-json
+          path: results.json
+          retention-days: 7
+      - name: Create GitHub Issue (if vulns found)
+        if: steps.govulncheck-scan.outputs.vuln_count > 0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          ISSUE_TITLE="Security Vulnerabilities Detected in main branch"
+          # Check if an open issue with this exact title already exists
+          EXISTING_ISSUE=$(gh issue list --state open --search "in:title \"$ISSUE_TITLE\"" --json number -R $GH_REPO)
+          if [[ "$EXISTING_ISSUE" == "[]" ]]; then
+            echo "No existing issue found. Creating a new one."
+            BODY="**Automated Vulnerability Report**\n\n\`govulncheck\` found **${{ steps.govulncheck-scan.outputs.vuln_count }}** vulnerabilities on the \`main\` branch. Please review Workflow Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} for detail."
+            gh issue create --title "$ISSUE_TITLE" --body "$BODY" -R $GH_REPO
+          else
+            echo "An open issue with this title already exists. Skipping creation."
+          fi

all_test.go

@@ -242,10 +242,6 @@ func TestGoModTidy(t *testing.T) {
 	rungo(t, "mod", "tidy", "-diff")
 }
 
-func TestGovulncheck(t *testing.T) {
-	rungo(t, "run", "golang.org/x/vuln/cmd/[email protected]", "./...")
-}
-
 func rungo(t *testing.T, args ...string) {
 	t.Helper()