action.yml: unset GOOS/GOARCH when installing govulncheck

When a caller sets GOOS=windows at the job level (e.g.
prometheus/windows_exporter, which builds for Windows but runs
CI on Linux), go install would build govulncheck for Windows
instead of the Linux runner, causing "command not found" on
execution.

Clearing GOOS and GOARCH in the install step ensures the tool
is always built for the host platform.

Change-Id: Ied55d19c2f0e733f7882e1f1348db2c4c9f38f1d
GitHub-Last-Rev: b5c359d5956ae33a422e0ed76106f6cf3e63cb89
GitHub-Pull-Request: golang/govulncheck-action#9
Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/785640
Auto-Submit: Sean Liao <sean@liao.dev>
TryBot-Bypass: Sean Liao <sean@liao.dev>
Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
Auto-Submit: Hyang-Ah Hana Kim <hyangah@gmail.com>
Reviewed-by: Sean Liao <sean@liao.dev>
Reviewed-by: Cherry Mui <cherryyz@google.com>
1 file changed
tree: 936996f71addf60a443c8d8630d2d85e876fc7c7
  1. action.yml
  2. CONTRIBUTING.md
  3. LICENSE
  4. PATENTS
  5. README.md
README.md

GitHub Action for govulncheck

This repository holds the GitHub Action for govulncheck.

Govulncheck provides a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their dependencies. See details on Go's support for vulnerability management.

The govulncheck GitHub Action is currently experimental and is under active development.

Using the govulncheck GitHub Action

To use the govulncheck GitHub Action add the following step to your workflow:

- id: govulncheck
  uses: golang/govulncheck-action@v1

By default the govulncheck GitHub Action will run with the latest version of Go and analyze all packages in the provided Go module. Assuming you have the latest Go version installed locally, this is equivalent to running the following on your command line:

$ govulncheck ./...

To specify a specific Go version, directory in which to run govulncheck, or package pattern, use the following syntax:

- id: govulncheck
  uses: golang/govulncheck-action@v1
  with:
     go-version-input: <your-Go-version>
     go-package: <your-package-pattern>

For example, the code snippet below can be used to run govulncheck against a repository on every push:

on: [push]

jobs:
  govulncheck_job:
    runs-on: ubuntu-latest
    name: Run govulncheck
    steps:
      - id: govulncheck
        uses: golang/govulncheck-action@v1
        with:
           go-version-input: 1.20.6
           go-package: ./...

govulncheck GitHub Action accepts several other optional inputs:

work-dir: directory in which to run govulncheck, default '.'
repo-checkout: checkout the repository, default true
check-latest: check for the latest Go version, default false
cache: specify if caching is needed, default true
cache-dependency-path: specify path to go.sum file (for monorepos), default ''
go-version-file: go.mod or go.work file specifying Go version, default ''
output-format: the format of govulncheck output ('text', 'json', or 'sarif'), default 'text'
output-file: the file to which the output is redirected, default '' (no
redirection)

The precedence for inputs go-version-input, go-version-file, check-latest, cache, and cache-dependency-path specifying Go version and caches is inherited from actions/setup-go.

The govulncheck-action follows the exit codes of govulncheck command. Specifying the output format ‘json’ or ‘sarif’ will return success even if there are some vulnerabilities detected. See here for more information.

When a vulnerability is found with ‘text’ output format, an error will be displayed for that GitHub job with information about the vulnerability and how to fix it. For example:

image

Contributing

Our canonical Git repository is located at https://go.googlesource.com/govulncheck-action. There is a mirror of the repository at https://github.com/golang/govulncheck-action. See https://go.dev/doc/contribute.html for details on how to contribute.

Feedback

The main issue tracker for the time repository is located at

If you want to report a bug or have a feature suggestion, please file an issue at https://github.com/golang/go/issues, prefixed with govulncheck-action: in the title.

License

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.