govulncheck-cron-schedule.yaml

# "Govulncheck reports known vulnerabilities that affect Go code.
#  It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application."
#
# For more information see https://go.dev/blog/vuln and https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
name: 'Scheduled govulncheck'

# run schedule every work day at 9:42 UTC
on:
  schedule:
    - cron: '0,15,30,45 * * * 1-5'

jobs:
  govulncheck_job:
    runs-on: ubuntu-latest
    name: Run govulncheck

    strategy:
      fail-fast: false
      matrix:
        # CodeQL runs on these branches. Pattern matching doesn't work, so we need to add relevant branches manually.
        branches:
          - 'master'
          - 'V5.4'
          - 'V6.0'

    steps:
      - name: Checkout branch
        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.branches }}

      - id: govulncheck
        uses: golang/govulncheck-action@v1
        with:
          # TODO: This should probably run against the builder or runtime in the Dockerfile.
          #       I don't think it is possible to detect those versions here, but maybe run against `go-version-input: 'stable'`
          #       and detect container vulnerabilities in a different action?
          go-version-input: '' # remove default
          go-version-file: 'go.mod'
          go-package: ./...
          repo-checkout: false # will checkout the default branch if left on true
          output-format: 'text' # leave on the default since other values will always result in successful completion of the action.