ci(validate-go): restore reachable-advisory allowlist via govulncheck-action fork#276
Merged
Merged
Conversation
…-action fork The govulncheck gate fails on ANY reachable advisory with no in-workflow override — #273 dropped the prior .govulncheck-allow.txt allowlist when moving to the official action. That wedges every Go PR on a consumer that links a reachable advisory with no upstream fix (Fixed in: N/A), e.g. ksail, which links server-side k8s/docker symbols transitively. Point the scan at devantler/govulncheck-action@feat/allow-file (a fork adding an allow-file input) and pass allow-file: .govulncheck-allow.txt. The gate stays strict by default: a consumer with no allowlist file blocks on any reachable advisory, unchanged. A consumer that ships .govulncheck-allow.txt can risk-accept specific unfixable advisories with a version-controlled justification. Bridge only — swap back to golang/govulncheck-action once the upstream allow-file change lands. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the org-wide reusable Go validation workflow to reintroduce a consumer opt-in allowlist for reachable govulncheck advisories (via a forked govulncheck-action that adds an allow-file input), so repos can explicitly risk-accept advisories that have no upstream fix without wedging all Go PRs.
Changes:
- Switches the
🛡️ Vulnerability Scanstep to a fork ofgovulncheck-actionthat supportsallow-file. - Passes
allow-file: .govulncheck-allow.txtto enable opt-in, version-controlled advisory allowlisting. - Expands in-workflow documentation describing the rationale and swap-back intent.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…for opt-in allowlist Split the vuln scan on whether the consumer commits a `.govulncheck-allow.txt`: repos with no allowlist keep using the official golang/govulncheck-action (strict, unchanged); only opt-in repos take the thin devantler fork that adds the `allow-file` input. This minimises the fork's blast radius — the official action stays on the path for every consumer except ones explicitly accepting a no-upstream-fix advisory. Also document the opt-in in the README and drop the inaccurate "feature request filed" wording (upstream is Gerrit-backed). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
🎉 This PR is included in version 5.4.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
🛡️ Vulnerability Scanjob is the org-wide required workflow (org ruleset "Require workflows to pass before merging for Go",id 10320335), which pins this file atrefs/heads/mainand runs it on every Go PR org-wide. Since #273 moved the scan to the officialgolang/govulncheck-action, the gate fails on any reachable advisory with no in-workflow override.That wedges every Go PR on a consumer that links a reachable advisory with no upstream fix (
Fixed in: N/A) — e.g.ksail, which links server-sidek8s.io/kubernetes/docker/dockersymbols transitively. ksail shipped a.govulncheck-allow.txt(risk-accepting 4 such advisories) expecting the v5.4.0 allowlist gate, but that logic was removed in #273, so the file is read by nothing and every ksail Go PR shows a red vuln scan.What this does
Splits the scan on whether the consumer commits a
.govulncheck-allow.txt:present=falseand the scan runs the officialgolang/govulncheck-actionexactly as today — a strict gate that blocks on any reachable advisory. This is the path for every consumer except opt-in ones, so the fork never touches the vast majority of Go repos (minimal blast radius — addresses the reviewer's supply-chain concern)..govulncheck-allow.txt(one acceptedGO-YYYY-NNNNper line;#comments + blanks ignored) takes thedevantler/govulncheck-action@feat/allow-filefork, which adds anallow-fileinput and fails only on reachable advisories not listed.Blast radius
This file is the org-wide Go gate (ruleset tracks
main), so merging applies to all Go consumers immediately. Safe because the default (no-allowlist) path is the official action, byte-for-byte the same strict gate; only repos that add an allowlist file change behavior and reach the fork.Validation
actionlint -ignore code-qualityon this file: clean (thecode-qualityscope is the pre-existing false positive CI already ignores).action.yml+69/-2) unit-tested underbash: allowlisted → excused, non-allowlisted reachable → blocks, strict/no-file → blocks all, all-allowlisted → passes..govulncheck-allow.txt.Follow-ups
golang/govulncheck-actionis a Gerrit-backed Go-project mirror — contributions go through go-review.googlesource.com and require a signed Google CLA, so this can't be filed via a GitHub PR autonomously. The fork is Gerrit-ready atdevantler/govulncheck-action@feat/allow-file; onceallow-filelands upstream, swap the opt-inuses:back togolang/govulncheck-action@<sha>and delete the fork.🛡️ Vulnerability Scangoes green and unblocks #4986 / #4945 / #4905. It must not be added to ksail's required-checks gate until then, or it wedges all Go PRs.Supersedes #275 (which re-implemented the scan as an in-workflow shim — "our own solution" — and was closed per maintainer review in favor of this official-action-preserving approach).