ci: add govulncheck

Signed-off-by: Paul Meyer <[email protected]>
edgelesssys · Jan 5, 2024 · 25f92e5 · 25f92e5
1 parent 20cc230
commit 25f92e5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
@@ -37,3 +37,15 @@ jobs:
           error: Go source needs to be updated, check the GitHub run summary for the diff.
           suggested-fix: Run \`nix run .#generate\` to generate and tidy Go code.
           renovate-commit-msg: "fixup: update Go source"
+
+  govulncheck:
+      runs-on: ubuntu-22.04
+      steps:
+        - name: Checkout
+          uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        - name: Install Nix
+          uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+          with:
+            github_access_token: ${{ secrets.GITHUB_TOKEN }}
+        - name: Run govulncheck
+          run: nix run .#govulncheck -- ./...
diff --git a/packages/default.nix b/packages/default.nix
@@ -109,4 +109,10 @@ rec {
   genpolicy = genpolicy-msft;
   genpolicy-msft = callPackage ./genpolicy_msft.nix { };
   genpolicy-kata = callPackage ./genpolicy_kata.nix { };
+
+  govulncheck = writeShellApplication {
+    name = "govulncheck";
+    runtimeInputs = with pkgs; [ go govulncheck ];
+    text = ''govulncheck "$@"'';
+  };
 }