mirror of
https://github.com/lukaszraczylo/shared-actions.git
synced 2026-07-07 06:34:24 +00:00
Ensure that gosec does not pick the golang vulnerabilities.
This commit is contained in:
@@ -13,10 +13,6 @@ on:
|
|||||||
required: false
|
required: false
|
||||||
type: string
|
type: string
|
||||||
default: "release.yml"
|
default: "release.yml"
|
||||||
secrets:
|
|
||||||
pat-token:
|
|
||||||
description: "Personal Access Token for creating PRs with verified commits"
|
|
||||||
required: true
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
autoupdate:
|
autoupdate:
|
||||||
@@ -57,7 +53,7 @@ jobs:
|
|||||||
if: steps.changes.outputs.changes_detected == 'true'
|
if: steps.changes.outputs.changes_detected == 'true'
|
||||||
uses: peter-evans/create-pull-request@v7
|
uses: peter-evans/create-pull-request@v7
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.pat-token }}
|
token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
|
||||||
commit-message: "Update go.mod and go.sum"
|
commit-message: "Update go.mod and go.sum"
|
||||||
title: "Update Go dependencies"
|
title: "Update Go dependencies"
|
||||||
body: |
|
body: |
|
||||||
@@ -72,4 +68,4 @@ jobs:
|
|||||||
if: steps.create-pr.outputs.pull-request-number
|
if: steps.create-pr.outputs.pull-request-number
|
||||||
run: gh pr merge --squash --delete-branch --admin "${{ steps.create-pr.outputs.pull-request-number }}"
|
run: gh pr merge --squash --delete-branch --admin "${{ steps.create-pr.outputs.pull-request-number }}"
|
||||||
env:
|
env:
|
||||||
GH_TOKEN: ${{ secrets.pat-token }}
|
GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
|
||||||
|
|||||||
@@ -69,11 +69,36 @@ jobs:
|
|||||||
run: go install golang.org/x/vuln/cmd/govulncheck@latest
|
run: go install golang.org/x/vuln/cmd/govulncheck@latest
|
||||||
|
|
||||||
- name: Run govulncheck
|
- name: Run govulncheck
|
||||||
run: govulncheck ./...
|
run: |
|
||||||
|
# Run govulncheck and capture output
|
||||||
|
set +e
|
||||||
|
OUTPUT=$(govulncheck -show verbose ./... 2>&1)
|
||||||
|
EXIT_CODE=$?
|
||||||
|
echo "$OUTPUT"
|
||||||
|
|
||||||
|
# If there are vulnerabilities, check if they're only in stdlib
|
||||||
|
if [ $EXIT_CODE -ne 0 ]; then
|
||||||
|
# Check if there are any third-party package vulnerabilities
|
||||||
|
# Stdlib vulnerabilities show "Found in: <pkg>@go<version>" (e.g., crypto/x509@go1.25.4)
|
||||||
|
# Third-party vulns show "Found in: <pkg>@v<version>" (e.g., github.com/foo/bar@v1.2.3)
|
||||||
|
if echo "$OUTPUT" | grep -q "Found in:"; then
|
||||||
|
# If no "Found in:" lines contain @v (third-party version), only stdlib affected
|
||||||
|
if ! echo "$OUTPUT" | grep "Found in:" | grep -qE "@v[0-9]"; then
|
||||||
|
echo ""
|
||||||
|
echo "⚠️ Only stdlib vulnerabilities found - these require a Go version upgrade"
|
||||||
|
echo "✅ No vulnerabilities in third-party dependencies"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
exit $EXIT_CODE
|
||||||
|
fi
|
||||||
|
|
||||||
gosec:
|
gosec:
|
||||||
name: Gosec SARIF
|
name: Gosec SARIF
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
@@ -103,6 +128,9 @@ jobs:
|
|||||||
codeql:
|
codeql:
|
||||||
name: CodeQL Analysis
|
name: CodeQL Analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|||||||
Reference in New Issue
Block a user