govulncheck.yml

---
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Govulncheck
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

# Declare default permissions as read only.
permissions: read-all

jobs:
  govulncheck_job:
    runs-on: ubuntu-latest
    name: Scan for vulns
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - name: Install Go
        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: '>= 1.21'
          cache: true

      - id: govulncheck
        uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 # v1.0.1
        with:
          go-version-input: '>= 1.21'
          check-latest: true