feat: add govulncheck gh workflows

.github/workflows/govulncheck.yml

@@ -0,0 +1,33 @@
+name: govulncheck
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  govulncheck:
+    name: Run on Ubuntu
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone the code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          # Fetch full history so git worktree can check out the base branch.
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+        with:
+          go-version-file: go.mod
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+
+      - name: Run govulncheck
+        # NRC_VERIFY_GIT_BRANCH tells the script which branch to use as the
+        # base for comparison.
+        env:
+          NRC_VERIFY_GIT_BRANCH: ${{ github.base_ref || 'main' }}
+        run: hack/verify-govulncheck.sh

Makefile

@@ -61,6 +61,11 @@ CONTROLLER_GEN_BIN := controller-gen
 CONTROLLER_GEN := $(abspath $(TOOLS_BIN_DIR)/$(CONTROLLER_GEN_BIN)-$(CONTROLLER_GEN_VER))
 CONTROLLER_GEN_PKG := sigs.k8s.io/controller-tools/cmd/controller-gen
 
+GOVULNCHECK_VER := v1.1.4
+GOVULNCHECK_BIN := govulncheck
+GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
+GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck
+
 # Image URL to use all building/pushing image targets
 IMG_PREFIX ?= controller
 IMG_TAG ?= latest
@@ -161,6 +166,10 @@ lint-api-fix: $(GOLANGCI_LINT_KAL)
 lint-config: $(GOLANGCI_LINT) ## Verify golangci-lint linter configuration
 	$(GOLANGCI_LINT) config verify
 
+.PHONY: govulncheck
+govulncheck: $(GOVULNCHECK) ## Run govulncheck to detect known vulnerabilities.
+	$(GOVULNCHECK) -scan package ./...
+
 .PHONY: verify
 verify: ## Run all verification scripts.
 	 ./hack/verify-all.sh
@@ -450,6 +459,9 @@ $(GOLANGCI_LINT): # Build golangci-lint from tools folder.
 $(GOLANGCI_LINT_KAL): $(GOLANGCI_LINT) # Build golangci-lint-kal from custom configuration.
 	cd $(TOOLS_DIR); $(GOLANGCI_LINT) custom
 
+$(GOVULNCHECK): # Build govulncheck from tools folder.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)
+
 
 ## --------------------------------------
 ## Documentation

hack/verify-all.sh

@@ -20,4 +20,5 @@ set -o pipefail
 
 # Run all verification scripts
 hack/verify-boilerplate.sh
-hack/verify-links.sh
+hack/verify-links.sh
+hack/verify-govulncheck.sh

hack/verify-govulncheck.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Copyright The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+GOVULNCHECK_VERSION="${GOVULNCHECK_VERSION:-v1.1.4}"
+
+# Install govulncheck if not already present.
+if ! command -v govulncheck &>/dev/null; then
+  echo "Installing govulncheck@${GOVULNCHECK_VERSION}..."
+  go install "golang.org/x/vuln/cmd/govulncheck@${GOVULNCHECK_VERSION}"
+fi
+
+# NRC_VERIFY_GIT_BRANCH is populated in verify CI jobs (e.g. GITHUB_BASE_REF).
+BRANCH="${NRC_VERIFY_GIT_BRANCH:-main}"
+
+# Create a temp directory and clean it up on exit.
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "${TMPDIR}"' EXIT
+
+WORKTREE="${TMPDIR}/worktree"
+
+echo "Creating worktree for base branch '${BRANCH}'..."
+git worktree add -f -q "${WORKTREE}" "${BRANCH}"
+trap 'git worktree remove -f "${WORKTREE}"; rm -rf "${TMPDIR}"' EXIT
+
+echo "Running govulncheck on HEAD (PR branch)..."
+govulncheck -scan package ./... > "${TMPDIR}/head.txt" || true
+
+echo "Running govulncheck on base branch '${BRANCH}'..."
+pushd "${WORKTREE}" >/dev/null
+  govulncheck -scan package ./... > "${TMPDIR}/pr-base.txt" || true
+popd >/dev/null
+
+echo -e "\n=== HEAD (PR branch) ===\n$(cat "${TMPDIR}/head.txt")"
+echo -e "\n=== BASE (${BRANCH}) ===\n$(cat "${TMPDIR}/pr-base.txt")"
+
+diff -s -u --ignore-all-space "${TMPDIR}/pr-base.txt" "${TMPDIR}/head.txt" || true