hamba · nrwiersma · Jun 3, 2026 · Jun 3, 2026
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -0,0 +1,20 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+name: govulncheck
+jobs:
+  govulncheck:
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run govalncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-input: ''
+          go-version-file: 'go.mod'
diff --git a/.github/workflows/govulnfix.yml b/.github/workflows/govulnfix.yml
@@ -0,0 +1,61 @@
+on:
+  workflow_dispatch:
+  schedule: # Monday at 04:00 UTC
+    - cron: '0 4 * * Mon'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+name: govulnfix
+jobs:
+  vulnfix:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Install Go
+        id: install-go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Download dependencies
+        run: go mod download
+        if: steps.install-go.outputs.cache-hit != 'true'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Install vulnfix
+        run: go install github.com/hamba/vulnfix@latest
+
+      # govulncheck exits 3 when vulnerabilities are found; we want to continue to vulnfix, so we ignore the exit code.
+      - name: Run govulncheck
+        run: |
+          go run golang.org/x/vuln/cmd/govulncheck@latest -format json ./... > /tmp/govulncheck-output.json; ec=$?
+          [[ $ec -eq 0 || $ec -eq 3 ]] || exit $ec
+
+      # Switch to the latest version of Go to ensure vulnfix can update the version of Go.
+      - name: Install Latest Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1'
+          check-latest: true
+          cache: false
+
+      - name: Run vulnfix
+        run: vulnfix -o /tmp/vuln.md < /tmp/govulncheck-output.json
+
+      - name: Open Pull Request
+        uses: peter-evans/create-pull-request@v8
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          branch: govulncheck/auto-fix
+          delete-branch: "true"
+          commit-message: "chore(deps): fix vulnerabilities reported by govulncheck"
+          title: "chore(deps): fix vulnerabilities reported by govulncheck"
+          body-path: /tmp/vuln.md
+          labels: security,dependencies
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,11 +6,7 @@ on:
 
 name: run tests
 jobs:
-  test:
-
-    strategy:
-      matrix:
-        go-version: [ "1.25", "1.26" ]
+  lint:
     runs-on: ubuntu-latest
     env:
       GOLANGCI_LINT_VERSION: v2.11.3
@@ -23,7 +19,7 @@ jobs:
         id: install-go
         uses: actions/setup-go@v6
         with:
-          go-version: ${{ matrix.go-version }}
+          go-version-file: 'go.mod'
 
       - name: Download dependencies
         run: go mod download
@@ -34,19 +30,43 @@ jobs:
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}
 
-      - name: Setup gotestsum
-        uses: gertd/action-gotestsum@v3.0.0
-        with:
-          gotestsum_version: v1.13.0
+  test:
+    strategy:
+      matrix:
+        go-version: [ "1.25", "1.26" ]
+    runs-on: ubuntu-latest
+    env:
+      GOTESTSUM_VERSION: v1.13.0
 
-      - name: Run Tests
-        run: gotestsum --junitfile tests.xml --format pkgname -- -covermode=atomic -coverprofile=coverage.out -race ./...
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Install Go
+        id: install-go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go-version }}
+          check-latest: "true"
 
-      - name: Test Summary
-        uses: test-summary/action@v2
+      - name: Cache Go test cache
+        uses: actions/cache@v5
         with:
-          paths: "tests.xml"
-        if: always()
+          path: /home/runner/.cache/go-test-cache
+          key: ${{ runner.os }}-go-testcache-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-go-testcache-
+
+      - name: Download dependencies
+        run: go mod download
+        if: steps.install-go.outputs.cache-hit != 'true'
+
+      - name: Setup gotestsum
+        run: go install gotest.tools/gotestsum@${{ env.GOTESTSUM_VERSION }}
+
+      - name: Run Tests
+        run: gotestsum --format pkgname -- -covermode=atomic -coverprofile=coverage.out -race ./...
+        env:
+          GOCACHE: /home/runner/.cache/go-test-cache
 
       - name: Coveralls
         uses: coverallsapp/github-action@v2
@@ -57,7 +77,7 @@ jobs:
           parallel: true
           flag-name: go-${{ matrix.go-version }}
 
-  finish:
+  test-results:
     needs: test
     if: ${{ always() }}
     runs-on: ubuntu-latest
@@ -68,3 +88,7 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           parallel-finished: true
+
+      - name: Check matrix results
+        if: ${{ contains(needs.test.result, 'failure') || contains(needs.test.result, 'cancelled') }}
+        run: exit 1