Add govulncheck job to lint workflow and fix matrix job result syntax

.github/dependabot.yml

@@ -0,0 +1,83 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/plugin/sdk"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/tool/actions-gh-release"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/tool/actions-plan-preview"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/tool/codegen/protoc-gen-auth"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/kubernetes"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/kubernetes_multicluster"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/terraform"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/cloudrun"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/scriptrun"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/analysis"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/wait"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/pkg/app/pipedv1/plugin/waitapproval"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "npm"
+    directory: "/web"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "npm"
+    directory: "/docs"
+    schedule:
+      interval: "monthly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/first-time-contributor.yaml

@@ -52,8 +52,6 @@ Before your PR gets merged, please check a few important things below.
 ### DCO Sign-off
 All commits must include a \`Signed-off-by\` line to comply with the Developer Certificate of Origin (DCO).
 
-In case you forget to sign-off your commit(s), follow these steps:
-
 For the last commit:
 \`\`\`bash
 git commit --amend --signoff
@@ -69,18 +67,15 @@ git push --force-with-lease
 ---
 
 ### Run checks locally
-Before pushing updates, please run:
 \`\`\`bash
 make check
 \`\`\`
-This runs the same checks as CI and helps catch issues early.
 
 ---
 
 ### 💬 Need help?
-If anything is unclear, feel free to ask in this PR or join us on the CNCF Slack in the **#pipecd** channel.
-You can get your Slack invite from: https://communityinviter.com/apps/cloud-native/cncf
-
+Feel free to ask in this PR or join **#pipecd** on CNCF Slack:  
+https://communityinviter.com/apps/cloud-native/cncf
 
 Thanks for contributing to PipeCD! ❤️
 `;

.github/workflows/lint.yaml

@@ -60,11 +60,7 @@ jobs:
         # if jobs in the 'go' job matrix failed or were cancelled, this job will fail
         # otherwise this job is marked as successful because all steps are skipped
         run: exit 1
-        if: >-
-          ${{
-               contains(needs.*.result, 'failure')
-            || contains(needs.*.result, 'cancelled')
-          }}
+        if: needs.go.result != 'success'
 
   web:
     runs-on: ubuntu-24.04
@@ -100,3 +96,32 @@ jobs:
 
       - name: Lint all Helm charts
         run: make lint/helm
+
+  govulncheck:
+    runs-on: ubuntu-24.04
+    needs: list-go-modules
+    strategy:
+      fail-fast: false
+      matrix:
+        module: ${{ fromJSON(needs.list-go-modules.outputs.modules) }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run govulncheck
+        working-directory: ${{ matrix.module }}
+        run: govulncheck ./...
+
+  govulncheck-completed:
+    runs-on: ubuntu-24.04
+    if: always()
+    needs: govulncheck
+    steps:
+      - name: Check if all govulncheck jobs succeeded
+        # if jobs in the 'govulncheck' job matrix failed or were cancelled, this job will fail
+        # otherwise this job is marked as successful because all steps are skipped.
+        run: exit 1
+        if: needs.govulncheck.result != 'success'