Add govulncheck job to lint workflow and fix matrix job result syntax

mohammedfirdouss · mohammedfirdouss · commit 148b5a30574e · 2026-01-15T14:44:39.000Z
Signed-off-by: Mohammed Firdous &lt;124298708+mohammedfirdouss@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -45,3 +45,39 @@ updates:
     directory: "/pkg/app/pipedv1/plugin/cloudrun"
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/scriptrun"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/analysis"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/wait"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/waitapproval"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "npm"
+    directory: "/web"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "npm"
+    directory: "/docs"
+    schedule:
+      interval: "monthly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -60,11 +60,7 @@ jobs:
         # if jobs in the 'go' job matrix failed or were cancelled, this job will fail
         # otherwise this job is marked as successful because all steps are skipped
         run: exit 1
-        if: >-
-          ${{
-               contains(needs.*.result, 'failure')
-            || contains(needs.*.result, 'cancelled')
-          }}
+        if: needs.go.result != 'success'
 
   web:
     runs-on: ubuntu-24.04
@@ -100,3 +96,32 @@ jobs:
 
       - name: Lint all Helm charts
         run: make lint/helm
+
+  govulncheck:
+    runs-on: ubuntu-24.04
+    needs: list-go-modules
+    strategy:
+      fail-fast: false
+      matrix:
+        module: ${{ fromJSON(needs.list-go-modules.outputs.modules) }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run govulncheck
+        working-directory: ${{ matrix.module }}
+        run: govulncheck ./...
+
+  govulncheck-completed:
+    runs-on: ubuntu-24.04
+    if: always()
+    needs: govulncheck
+    steps:
+      - name: Check if all govulncheck jobs succeeded
+        # if jobs in the 'govulncheck' job matrix failed or were cancelled, this job will fail
+        # otherwise this job is marked as successful because all steps are skipped
+        run: exit 1
+        if: needs.govulncheck.result != 'success'
