refactor(validate-go): use the official golang/govulncheck-action#273
Merged
Conversation
Replace the hand-rolled govulncheck step (manual `go install` + a ~60-line custom JSON-mode scan with a `.govulncheck-allow.txt` allowlist) with the official golang/govulncheck-action@v1.0.4, pinned by SHA. The action sets up Go from go.mod, installs govulncheck, and runs `govulncheck ./...` in its default (text) mode, failing the job on any reachable finding — the same call-graph-reachability gate as before. Kept: the harden-runner step, the hardened checkout (persist-credentials:false, with the action's own checkout disabled via repo-checkout:false), and the GOMEMLIMIT/timeout-minutes guards (the scan still builds a whole-program call graph, so the OOM tuning still applies). This drops the `.govulncheck-allow.txt` risk-acceptance allowlist, which the official action does not support. No repo currently ships an allowlist file, so there is no behavior change for any current consumer. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors the reusable “Validate Go Project” workflow to use the official golang/govulncheck-action for Go vulnerability scanning, replacing the previous custom govulncheck installation + JSON parsing gate.
Changes:
- Replace the hand-rolled
govulncheckscan logic withgolang/govulncheck-action@v1.0.4(SHA-pinned) in.github/workflows/validate-go-project.yaml. - Update README documentation to reflect the new govulncheck implementation and remove the prior allowlist description.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Updates workflow feature documentation to reference golang/govulncheck-action and removes the allowlist text. |
| .github/workflows/validate-go-project.yaml | Replaces the custom govulncheck setup/scan script with the official action while keeping hardened checkout and existing resource tuning. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
🎉 This PR is included in version 5.4.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This was referenced Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the Go vulnerability gate from a hand-rolled implementation to the official action, per maintainer direction.
What
Replaces the custom
govulncheckstep invalidate-go-project.yamlwith the officialgolang/govulncheck-action@v1.0.4(pinned by SHAb625fbe).actions/setup-go+go install golang.org/x/vuln/cmd/govulncheck@v1.3.0+ a ~60-line custom JSON-mode scan with a.govulncheck-allow.txtallowlist.go.mod, installs govulncheck, and runsgovulncheck ./...in default (text) mode — failing the job on any reachable finding. Same call-graph-reachability gate, ~71 fewer lines.Kept unchanged:
harden-runner, the hardened checkout (persist-credentials: false; the action's own checkout is disabled viarepo-checkout: false), and the job-levelGOMEMLIMIT: 12GiB+timeout-minutes: 15(the scan still builds a whole-program call graph, so the OOM tuning still applies).Trade-off (intentional)
This drops the
.govulncheck-allow.txtrisk-acceptance allowlist — the official action has no equivalent. No repo currently ships an allowlist file, so there is no behavior change for any current consumer. If a reachable advisory with no upstream fix (Fixed in: N/A) ever appears (e.g. a server-side symbol linked transitively viak8s.io/kubernetes), the gate will block with no in-workflow override; the recourse is then to bump the dep, drop the call, or re-introduce a gating shim. Chosen deliberately in favor of the simpler, official integration.Scope
govulncheckis implemented only here — there is no custom govulncheck action indevantler-tech/actions, and consumers (e.g.ksail) don't reimplement it; they inherit this gate by callingvalidate-go-project.yaml@<tag>. So this single workflow change is the whole migration. Consumers pick it up automatically on the next release + their routine version bump — no per-consumer edit needed.Validation
actionlint(with the CI's-ignore code-quality) andyamllint: pass.repo-checkout,go-version-file).ci.yaml's[Test] Validate Go Projectjob only checks the workflow is callable (every internal job self-skips on this repo via thegithub.repository != ...guard); the gate runs end-to-end on consumers post-release.🤖 Generated with Claude Code