[CI/CD] Add govulncheck to CI #1416
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1416 +/- ##
=======================================
Coverage 85.31% 85.31%
=======================================
Files 102 102
Lines 12972 12972
=======================================
Hits 11067 11067
Misses 1418 1418
Partials 487 487 Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
.github/workflows/ci.yml
Outdated
| security-events: write | ||
| with: | ||
| target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }} | ||
| go-version-input: '1.24.10' |
There was a problem hiding this comment.
Is there a way to get the golang version from the go.mod file like how we do it for the setup-go action on line 72?
.github/workflows/nightly-scans.yml
Outdated
| uses: ./.github/workflows/vulncheck.yml | ||
| with: | ||
| target-branch: 'dev-v2' | ||
| go-version-input: '1.24.10' |
There was a problem hiding this comment.
Agent V2 is actually on 1.24.9 at the moment. So we need to be able to get the version from the go.mod instead of hardcoding it into the workflows
There was a problem hiding this comment.
Added a check where we read the go version from the go.mod
.github/workflows/vulncheck.yml
Outdated
| on: | ||
| workflow_call: | ||
| inputs: | ||
| go-version-input: |
There was a problem hiding this comment.
Can the go-version-input inputs be removed now?
Proposed changes
Adds the
govulncheckaction to our CI workflow to catch and report vulnerabilities to the Security tab.Also adds a
nightly-scans.ymlworkflow to run the vulnerability scan nightly againstmainanddev-v2branches.Checklist
Before creating a PR, run through this checklist and mark each as complete.
CONTRIBUTINGdocumentmake install-toolsand have attached any dependency changes to this pull requestREADME.md)