From 762b679fac2415767400bb7cb10a5bcb3a20caf5 Mon Sep 17 00:00:00 2001
From: Lennart Jern <lennart.jern@est.tech>
Date: Fri, 23 May 2025 13:37:58 +0300
Subject: [PATCH] Add weekly govulncheck workflow

Signed-off-by: Lennart Jern <lennart.jern@est.tech>
---
 .github/workflows/security-scan.yaml | 30 ++++++++++++++++++++++++++++
 Makefile                             |  3 +++
 2 files changed, 33 insertions(+)
 create mode 100644 .github/workflows/security-scan.yaml

diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
new file mode 100644
index 0000000000..1c7bebbb2f
--- /dev/null
+++ b/.github/workflows/security-scan.yaml
@@ -0,0 +1,30 @@
+name: Weekly security scan
+
+on:
+  workflow_dispatch:
+  schedule:
+  # Cron for every Monday at 4:12 UTC.
+  - cron: "12 4 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [master, release-1.33, release-1.32, release-1.31]
+    name: Verify security
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4.2.2
+      with:
+        ref: ${{ matrix.branch }}
+    - name: Set up Go
+      uses: actions/setup-go@v5.5.0
+      with:
+        go-version-file: go.mod
+    - name: Run verify security target
+      run: make verify-security
diff --git a/Makefile b/Makefile
index 46883ffad8..73796c7aea 100644
--- a/Makefile
+++ b/Makefile
@@ -103,6 +103,9 @@ vet: check
 cover: work
 	go test -tags=unit $(shell go list ./...) -cover
 
+verify-security: work
+	go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./...
+
 docs:
 	@echo "$@ not yet implemented"