| commit | 1ea760651e09004683cbcb231ee0ab504bc87919 | [log] [tgz] |
|---|---|---|
| author | Kir Kolyshkin <kolyshkin@gmail.com> | Tue May 06 16:43:25 2025 -0700 |
| committer | Sean Liao <sean@liao.dev> | Mon May 12 12:37:08 2025 -0700 |
| tree | 516866aae123d53fc5386cc7372c22f75265d5f0 | |
| parent | f03a9d4ce4ca31ed6f289906dad4f34c2ac9a23b [diff] |
action.yml: update actions to fix caching issue When the action is run, it complains when trying to save the cache: > Failed to save: Unable to reserve cache with key > setup-go-Linux-ubuntu24-go-1.23.0-xxxx > another job may be creating this cache. More details: This legacy > service is shutting down, effective April 15, 2025. Migrate to the new > service ASAP. For more information: https://gh.io/gha-cache-sunset This is caused by using an obsoleted version of actions/setup-go, which is being fixed in v5.3.0 [1]. There were other important actions/setup-go updates as well (such as including the arch in the cache key in v5.1.0 [2]. For complete changes, see https://github.com/actions/setup-go/compare/v5.0.0...v5.4.0 and https://github.com/actions/setup-go/releases. Update actions/checkout as well; for changes, see https://github.com/actions/checkout/compare/v4.1.1...v4.2.2 and https://github.com/actions/checkout/releases. Fixes golang/go#73616 [1]: https://github.com/actions/setup-go/releases/tag/v5.3.0 [2]: https://github.com/actions/setup-go/releases/tag/v5.1.0 Change-Id: I124d20136cc34f06ac5dad7b0c535fdc3ad0fa0e Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/670318 TryBot-Bypass: Sean Liao <sean@liao.dev> Reviewed-by: Sean Liao <sean@liao.dev> Commit-Queue: Sean Liao <sean@liao.dev> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com> Commit-Queue: Kirill Kolyshkin <kolyshkin@gmail.com> Run-TryBot: Kirill Kolyshkin <kolyshkin@gmail.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
This repository holds the GitHub Action for govulncheck.
Govulncheck provides a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their dependencies. See details on Go's support for vulnerability management.
The govulncheck GitHub Action is currently experimental and is under active development.
To use the govulncheck GitHub Action add the following step to your workflow:
- id: govulncheck uses: golang/govulncheck-action@v1
By default the govulncheck GitHub Action will run with the latest version of Go and analyze all packages in the provided Go module. Assuming you have the latest Go version installed locally, this is equivalent to running the following on your command line:
$ govulncheck ./...
To specify a specific Go version, directory in which to run govulncheck, or package pattern, use the following syntax:
- id: govulncheck uses: golang/govulncheck-action@v1 with: go-version-input: <your-Go-version> go-package: <your-package-pattern>
For example, the code snippet below can be used to run govulncheck against a repository on every push:
on: [push] jobs: govulncheck_job: runs-on: ubuntu-latest name: Run govulncheck steps: - id: govulncheck uses: golang/govulncheck-action@v1 with: go-version-input: 1.20.6 go-package: ./...
govulncheck GitHub Action accepts several other optional inputs:
work-dir: directory in which to run govulncheck, default '.' repo-checkout: checkout the repository, default true check-latest: check for the latest Go version, default false go-version-file: go.mod or go.work file specifying Go version, default '' output-format: the format of govulncheck output ('text', 'json', or 'sarif'), default 'text' output-file: the file to which the output is redirected, default '' (no redirection)
The precedence for inputs go-version-input, go-version-file, and check-latest specifying Go version is inherited from actions/setup-go.
The govulncheck-action follows the exit codes of govulncheck command. Specifying the output format ‘json’ or ‘sarif’ will return success even if there are some vulnerabilities detected. See here for more information.
When a vulnerability is found with ‘text’ output format, an error will be displayed for that GitHub job with information about the vulnerability and how to fix it. For example:
Our canonical Git repository is located at https://go.googlesource.com/govulncheck-action. There is a mirror of the repository at https://github.com/golang/govulncheck-action. See https://go.dev/doc/contribute.html for details on how to contribute.
The main issue tracker for the time repository is located at
If you want to report a bug or have a feature suggestion, please file an issue at https://github.com/golang/go/issues, prefixed with govulncheck-action: in the title.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.