Skip to content

feat: add reusable workflows for linting, vulnerability scanning, and dependency review#11

Open
alexlovelltroy wants to merge 3 commits into
mainfrom
feature/add-lint-workflow
Open

feat: add reusable workflows for linting, vulnerability scanning, and dependency review#11
alexlovelltroy wants to merge 3 commits into
mainfrom
feature/add-lint-workflow

Conversation

@alexlovelltroy

@alexlovelltroy alexlovelltroy commented Jun 5, 2026

Copy link
Copy Markdown
Member

Description

This pull request adds several new reusable GitHub Actions workflows focused on security and workflow linting, and updates the documentation to describe their usage. These workflows provide automated checks for dependency vulnerabilities, Go module CVEs, container image CVEs, and workflow file best practices. The README is expanded with detailed usage instructions for each new workflow.

implements portions of #132

New reusable workflows for CI/CD security and linting:

  • Security scanning workflows:

    • Added .github/workflows/dependency-review.yml: Runs GitHub's dependency review action to gate PRs introducing dependencies with known vulnerabilities or disallowed licenses.
    • Added .github/workflows/govulncheck.yml: Runs the Go team's govulncheck tool to detect CVEs in Go modules, including transitive dependencies.
    • Added .github/workflows/trivy-image-scan.yml: Scans already-built container images for vulnerabilities with Trivy and uploads results to GitHub Advanced Security.

  • Workflow linting:

    • Added .github/workflows/lint-workflows.yml: Lints GitHub Actions workflow files using actionlint for syntax and shellcheck, and zizmor for security-focused static analysis with SARIF reporting.

Documentation updates:

  • README enhancements:
    • Listed all new workflows in the summary table.
    • Added detailed usage instructions and example YAML for each new workflow, including configuration options and typical use cases.

Checklist

  • My code follows the style guidelines of this project
  • I have added/updated comments where needed
  • I have added tests that prove my fix is effective or my feature works
  • I have run make test (or equivalent) locally and all tests pass
  • DCO Sign-off: All commits are signed off (git commit -s) with my real name and email
  • REUSE Compliance:
    • Each new/modified source file has SPDX copyright and license headers
    • Any non-commentable files include a <filename>.license sidecar
    • All referenced licenses are present in the LICENSES/ directory

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

For more info, see Contributing Guidelines.

alexlovelltroy and others added 3 commits June 4, 2026 15:19
@alexlovelltroy
feat: add reusable workflows for linting, vulnerability scanning, and…
5c7d220 
… dependency review

Signed-off-by: Alex Lovell-Troy <alex@lovelltroy.org>
@alexlovelltroy
feat: add SPDX license headers and configuration files across workflo…
030d897 
…ws and actions

Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
@alexlovelltroy
chore: update actions/checkout and other dependencies across workflow…
bd47747 
…s to latest versions

Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alexlovelltroy