add scheduled govulncheck (#3642)

nuts-foundation · Jan 8, 2025 · 854047e · 854047e
1 parent 9121e3a
commit 854047e
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/.github/workflows/govulncheck-cron-schedule.yaml b/.github/workflows/govulncheck-cron-schedule.yaml
@@ -0,0 +1,33 @@
+# "Govulncheck reports known vulnerabilities that affect Go code.
+#  It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application."
+#
+# For more information see https://go.dev/blog/vuln and https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+name: 'Scheduled govulncheck'
+
+# run schedule every work day at 9:42
+on:
+  schedule:
+    - cron: '42 9 * * 1-5'
+
+jobs:
+  govulncheck_job:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # CodeQL runs on these branches. Pattern matching doesn't work, so we need to add relevant branches manually.
+        branches:
+          - 'master'
+          - 'V5.4'
+          - 'V6.0'
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          # TODO: This should probably run against the builder or runtime in the Dockerfile.
+          #       I don't think it is possible to detect those versions here, but maybe run against `go-version-input: 'stable'`
+          #       and detect container vulnerabilities in a different action?
+          go-version-file: 'go.mod'
+          go-package: ./...
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -14,8 +14,6 @@ on:
     branches:
       - 'master'
       - 'V*'
-  schedule:
-    - cron: '21 10 * * 2'
 
 jobs:
   govulncheck_job: