diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index 32a7d6b..fbb8bdf 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -3,8 +3,6 @@ on: branches: - main pull_request: - schedule: # Monday at 04:00 UTC - - cron: '0 4 * * Mon' permissions: contents: read diff --git a/.github/workflows/govulnfix.yml b/.github/workflows/govulnfix.yml new file mode 100644 index 0000000..3aec087 --- /dev/null +++ b/.github/workflows/govulnfix.yml @@ -0,0 +1,61 @@ +on: + workflow_dispatch: + schedule: # Monday at 04:00 UTC + - cron: '0 4 * * Mon' + +permissions: + contents: write + pull-requests: write + +name: govulnfix +jobs: + vulnfix: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Install Go + id: install-go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Download dependencies + run: go mod download + if: steps.install-go.outputs.cache-hit != 'true' + + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: Install vulnfix + run: go install github.com/hamba/vulnfix@latest + + # govulncheck exits 3 when vulnerabilities are found; we want to continue to vulnfix, so we ignore the exit code. + - name: Run govulncheck + run: | + go run golang.org/x/vuln/cmd/govulncheck@latest -format json ./... > /tmp/govulncheck-output.json; ec=$? + [[ $ec -eq 0 || $ec -eq 3 ]] || exit $ec + + # Switch to the latest version of Go to ensure vulnfix can update the version of Go. + - name: Install Latest Go + uses: actions/setup-go@v6 + with: + go-version: '1' + check-latest: true + cache: false + + - name: Run vulnfix + run: vulnfix -o /tmp/vuln.md < /tmp/govulncheck-output.json + + - name: Open Pull Request + uses: peter-evans/create-pull-request@v8 + with: + token: ${{ secrets.GITHUB_TOKEN }} + branch: govulncheck/auto-fix + delete-branch: "true" + commit-message: "chore(deps): fix vulnerabilities reported by govulncheck" + title: "chore(deps): fix vulnerabilities reported by govulncheck" + body-path: /tmp/vuln.md + labels: security,dependencies diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a671996..5776354 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,6 +35,8 @@ jobs: matrix: go-version: [ "1.25", "1.26" ] runs-on: ubuntu-latest + env: + GOTESTSUM_VERSION: v1.13.0 steps: - name: Checkout code @@ -45,19 +47,26 @@ jobs: uses: actions/setup-go@v6 with: go-version: ${{ matrix.go-version }} - check-latest: true + check-latest: "true" + + - name: Cache Go test cache + uses: actions/cache@v5 + with: + path: /home/runner/.cache/go-test-cache + key: ${{ runner.os }}-go-testcache-${{ hashFiles('**/go.sum') }} + restore-keys: ${{ runner.os }}-go-testcache- - name: Download dependencies run: go mod download if: steps.install-go.outputs.cache-hit != 'true' - name: Setup gotestsum - uses: gertd/action-gotestsum@v3.0.0 - with: - gotestsum_version: v1.13.0 + run: go install gotest.tools/gotestsum@${{ env.GOTESTSUM_VERSION }} - name: Run Tests run: gotestsum --format pkgname -- -covermode=atomic -coverprofile=coverage.out -race ./... + env: + GOCACHE: /home/runner/.cache/go-test-cache - name: Coveralls uses: coverallsapp/github-action@v2