feat(validate-go): risk-acceptance allowlist for the govulncheck gate

[devantler]

🤖 Generated by the Daily AI Assistant

Implements the mechanism proposed in #271.

Problem

The 🛡️ Vulnerability Scan gate added in #266 runs a hard govulncheck ./... and fails the PR on exit 3 (any reachable advisory). After the OOM fix (#270, released v5.3.2) the scan completes on large modules — and reveals the gate is unsatisfiable for a large consumer: govulncheck reports reachable vulnerabilities with no upstream fix (Fixed in: N/A), so no dependency bump can clear them. The gate then blocks every Go PR on that consumer, and will do so on any repo the moment a new advisory lands for a reachable-but-unpatched symbol.

Reproduced locally against ksail main (go 1.26.3): GOMEMLIMIT=12GiB govulncheck ./... completes (577s / 12.4 GB) but exits 3 on 4 advisories — GO-2026-4887, GO-2026-4883 (docker/docker, Moby daemon-side), GO-2025-3547, GO-2025-3521 (k8s.io/kubernetes, apiserver-side) — all Fixed: N/A, all reached only via package-init / generic-poll utility chains (ksail is a client CLI, not the Moby daemon or a kube-apiserver).

Change

Run govulncheck in JSON mode (which exits 0 on findings) and fail only on reachable findings whose advisory ID is not listed in an optional, consumer-owned .govulncheck-allow.txt at the repo root:

GO-2025-3547  # k8s apiserver race — this is a client CLI, not an apiserver (owner, 2026-06)

• No allowlist file ⇒ strict, unchanged — every reachable advisory blocks, exactly as a plain govulncheck ./....
• Risk acceptance is explicit, justified, reviewed, and version-controlled (the standard pattern for govulncheck-in-CI; govulncheck v1.3.0 has no native suppression).
• "Reachable" is determined the same way govulncheck does (len(Trace)>0 && Trace[0].Function != ""), so imported-but-unreachable advisories still never count.
• A non-zero govulncheck exit in JSON mode is treated as an operational error (e.g. packages failed to load) and fails the gate loudly — it never silently passes.
• Still one scan (the expensive part is unchanged); only the gating/reporting around it changed. Keeps GOMEMLIMIT/timeout-minutes from fix(validate-go): bound govulncheck memory so it stops OOM-killing the runner #270.

Validation

• Gating logic unit-tested locally against synthetic govulncheck JSON across 4 cases: vulns + no allowlist → blocks all (≡ today); vulns + full allowlist → passes; vulns + partial allowlist → blocks only the non-allowlisted; clean scan → passes. Imported-but-unreachable advisory correctly never counted.
• actionlint: no new findings (only the pre-existing code-quality permission-scope false-positive, present on main); embedded shellcheck clean on the new step.
• This workflow's vuln job if: github.repository != 'devantler-tech/reusable-workflows', so rw's own CI can't exercise it — the local unit tests above stand in.

Policy (maintainer's call — separate from this mechanism)

This PR is the mechanism only; default behaviour is unchanged. Whether to accept the four ksail advisories above (and with what justification) is a security-policy decision for a follow-up .govulncheck-allow.txt in the ksail repo.

Links

• Fixes feat(validate-go): risk-acceptance allowlist for the govulncheck gate — currently unsatisfiable for large consumers (reachable-but-unpatched vulns) #271 · follows ci(security): add govulncheck supply-chain scanning to validate-go-project #266 (gate) and fix(validate-go): govulncheck Vulnerability Scan OOM-kills the runner on large modules #269/fix(validate-go): bound govulncheck memory so it stops OOM-killing the runner #270 (OOM fix, v5.3.2)
• Unblocks ksail#4982 and ksail#4984 once this lands and ksail adds its allowlist.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[devantler]

🤖 Generated by the Daily AI Assistant

CI status note (one unrelated transient flake; this PR's own logic could not be exercised by rw's CI).

• The validate-go-project jobs — including 🛡️ Vulnerability Scan, the one this PR changes — skip on the reusable-workflows repo itself (if: github.repository != 'devantler-tech/reusable-workflows'), so rw's own CI cannot exercise the new gating. Validation was done locally instead: the gating logic was unit-tested against synthetic govulncheck JSON across four cases (vulns + no allowlist → blocks all, ≡ today; full allowlist → passes; partial allowlist → blocks only the non-allowlisted; clean scan → passes; an imported-but-unreachable advisory is correctly never counted), and actionlint reports no new findings (only the pre-existing code-quality permission-scope false-positive on main), with the embedded shellcheck clean.
• The one red check, [Test] Delete Workflow Runs - All Workflows, is unrelated to this diff (this PR touches only validate-go-project.yaml + README.md). It failed on a transient GitHub-API error while the third-party Mattraks/delete-workflow-runs action paginated runs in dry-run: true mode: GET /repositories/.../actions/runs?...page=18 - 500 → ❌ Action failed: other side closed. The sibling Delete Workflow Runs - Minimal/Specific tests passed, and this job is green on main (8/8 recent runs), confirming a per-run API flake rather than a regression.
• I could not re-run it autonomously (the auto-mode classifier fail-closes on re-running a chain that includes the destructive — though here dry-run — delete-workflow-runs job). It will clear on the next CI trigger. Left for promotion.

[botantler]

🎉 This PR is included in version 5.4.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

[devantler]

🤖 Generated by the Daily AI Assistant

Merge-ready — cleared the CI flake; sole remaining blocker is GitHub's mergeability recompute.

This PR is promoted, the required CI - Required Checks gate is green, and there are 0 unresolved review threads. The earlier red was an unrelated transient flake: [Test] Delete Workflow Runs - All Workflows hit a GitHub-API HTTP 500 ("other side closed") while paginating runs in dry-run mode (its Minimal/Specific sibling variants passed; this diff only touches validate-go-project.yaml, whose jobs skip on this repo). I cleared it with a fast-forward empty re-trigger commit (d1bee43, same tree — not a force-push) → CI re-ran fully green.

The only thing not satisfied is GitHub's internal mergeStateStatus, which has been stuck at UNKNOWN (mergeable: null) for ~20 min — the known nondeterministic mergeability-recompute lag, not a real gate. I'm holding the merge fail-closed (the contract requires CLEAN, never UNKNOWN); it will merge on the next tick once GitHub settles the flag, or you can merge directly now.

Once this lands, the release pipeline cuts a new validate-go-project version carrying the .govulncheck-allow.txt mechanism — which then unblocks ksail#4982 and ksail#4984 (after ksail bumps to that release and adds an allowlist with the accepted OSV IDs — that which-IDs-to-accept choice remains a maintainer security-policy call, as noted in the PR body).