Add govulncheck job to lint workflow and fix matrix job result syntax

[mohammedfirdouss]

Issue

#6409

What was addressed

The PR adds two security features:

1. Dependabot configuration — automatically checks for dependency updates
2. govulncheck integration — scans Go code for known vulnerabilities

How it works

1. Dependabot (.github/dependabot.yml)

• Scans Go modules and npm packages weekly
• Monitors multiple directories (root, plugins, tools, web, docs)
• Creates PRs when updates are available
• Limits open PRs to 5 per ecosystem to avoid spam

2. govulncheck (.github/workflows/lint.yaml)

• Runs automatically on every PR and push
• Scans all Go modules in the repository
• Uses a matrix strategy to check each module separately
• Fails the CI if vulnerabilities are found
• Includes a completion job (govulncheck-completed) for branch protection rules

Testing

mohammedfirdouss#1 - see this dependabot that automatically checks for dependency updates in my repo and updates what is necessary then opens a PR.
Check out how the workflow file also catches vulnerabilities, the screenshots show evidences that this would work. I am open to reviews and suggestions.

What was done

Updated Go version from 1.25.0 to 1.25.8 in all 14 go.mod files to fix 9 stdlib vulnerabilities detected by govulncheck.

cc: @khanhtc1202 @eeshaanSA @Warashi @ffjlabo

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Ayushmore1214]

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

[mohammedfirdouss]

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

Hmm, I think this is a good idea.

[khanhtc1202]

LGTM, thanks 👍

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.65%. Comparing base (7b5e11a) to head (1f81585).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6435      +/-   ##
==========================================
+ Coverage   28.87%   38.65%   +9.77%     
==========================================
  Files         560       11     -549     
  Lines       59955      652   -59303     
==========================================
- Hits        17313      252   -17061     
+ Misses      41321      384   -40937     
+ Partials     1321       16    -1305     

Flag	Coverage Δ
.	?
.-pkg-app-pipedv1-plugin-analysis	?
.-pkg-app-pipedv1-plugin-kubernetes	?
.-pkg-app-pipedv1-plugin-kubernetes_multicluster	?
.-pkg-app-pipedv1-plugin-scriptrun	?
.-pkg-app-pipedv1-plugin-terraform	38.65% <ø> (ø)
.-pkg-app-pipedv1-plugin-wait	?
.-pkg-app-pipedv1-plugin-waitapproval	?
.-pkg-plugin-sdk	?
.-tool-actions-gh-release	?
.-tool-actions-plan-preview	?
.-tool-codegen-protoc-gen-auth	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mohammedfirdouss]

@khanhtc1202 Merge conflict has been resolved.

[khanhtc1202]

LGTM

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[Warashi]

@mohammedfirdouss
Thank you, this is nice!

But I have a concern.
If we merge this PR without resolving the govulncheck failures, the CI on the master branch will fail.
I want the master branch to pass the all CI checks, so I don't want to merge this PR as is.
On the other hand, I think it's resolving the failures within this PR seems difficult. Could you please open an issue to resolve them?
If you have time, please try to resolve them.

@khanhtc1202 please comment if you have another idea.

[mohammedfirdouss]

@mohammedfirdouss Thank you, this is nice!

But I have a concern. If we merge this PR without resolving the govulncheck failures, the CI on the master branch will fail. I want the master branch to pass the all CI checks, so I don't want to merge this PR as is. On the other hand, I think it's resolving the failures within this PR seems difficult. Could you please open an issue to resolve them? If you have time, please try to resolve them.

@khanhtc1202 please comment if you have another idea.

Hi @Warashi, thank you for catching this!

You're absolutely right. Let me investigate the govulncheck failures immediately.

My plan:

1. Run govulncheck locally to identify the specific vulnerabilities
2. Check if they're from this PR's changes or pre-existing dependencies
3. Either fix them directly in this PR (if straightforward) or create a tracking issue (if complex)
4. Re-test with full CI before requesting re-review

I'll have findings + plan by end of day and will either push fixes or create the tracking issue shortly.

@khanhtc1202 - thoughts on preferred approach?

[mohammedfirdouss]

Created tracking issue #6600. The govulncheck failures are pre-existing vulnerabilities, this PR correctly surfaces them. I'll work on fixing them in a separate PR so we can unblock this one without breaking master. The scan still runs and reports vulnerabilities, but won't block the PR from merging. Once the vulnerabilities are fixed (tracked in #6600), we can make it blocking again. Ready for re-review @Warashi @khanhtc1202

Also, i saw that i will have to update the Go version, so that would probably be a huge bump since it will affect other yml files like test etc. please check the tracking issue for more info

CI Run: https://github.com/pipe-cd/pipecd/actions/runs/23225979807