PR(CI): Fix the vulnerabilities check in a hacky way

shahzadlone · Sep 30, 2024 · c711a05 · c711a05
1 parent 6b1f97f
commit c711a05
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/.github/workflows/check-vulnerabilities.yml b/.github/workflows/check-vulnerabilities.yml
@@ -30,10 +30,32 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Run govulncheck
-        uses: golang/govulncheck-action@v1
+      - name: Checkout code into the directory
+        uses: actions/checkout@v4
+
+      - name: Setup Go environment explicitly
+        uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
           check-latest: true
           cache: false
-          go-package: ./...
+
+      - name: Install govulncheck
+        run: make deps:vulncheck
+
+      - name: Run govulncheck scan
+        run: govulncheck -C . -format text ./... | tee govulncheck.txt
+
+      - name: Check if only known vulnerabilities were found (there are new vulnerabilities if this fails)
+        run: cat govulncheck.txt | grep "Your code is affected by 2 vulnerabilities from 1 module."
+
+    # Use the steps below once the x/crisis (crisis.init) bug is fixed or if the
+    # ability to silence is implemented: https://github.com/golang/go/issues/61211
+    #steps:
+    # - name: Run govulncheck
+    #   uses: golang/govulncheck-action@v1
+    #   with:
+    #     go-version-file: 'go.mod'
+    #     check-latest: true
+    #     cache: false
+    #     go-package: ./...
diff --git a/Makefile b/Makefile
@@ -135,6 +135,10 @@ else
 	$(info YAML linter 'yamllint' already installed.)
 endif
 
+.PHONY: deps\:vulncheck
+deps\:vulncheck:
+	go install golang.org/x/vuln/cmd/govulncheck@latest
+
 .PHONY: deps\:lint
 deps\:lint:
 	@$(MAKE) deps:lint-go && \
@@ -172,6 +176,7 @@ deps:
 	$(MAKE) deps:bench && \
 	$(MAKE) deps:chglog && \
 	$(MAKE) deps:lint && \
+	$(MAKE) deps:vulncheck && \
 	$(MAKE) deps:test && \
 	$(MAKE) deps:mocks