action.yml: provide option to checkout repository

The repo checkout is enabled by default, but that can lead to some
issues in case the repo was been checked out earlier and some files are,
say, generated. Hence, we make the checkout optional.

Fixes golang/go#61409

Change-Id: I9bf37fb66c02ef3aa7347e6d534e150766c28990
Reviewed-by: Ian Cottrell <>
TryBot-Bypass: Zvonimir Pavlinovic <>
2 files changed
tree: 67e58d8d4168461161b17c5bc0db413924ea1d78
  1. action.yml

GitHub Action for govulncheck

This repository holds the GitHub Action for govulncheck.

Govulncheck provides a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their dependencies. See details on Go's support for vulnerability management.

The govulncheck GitHub Action is currently experimental and is under active development.

Using the govulncheck GitHub Action

To use the govulncheck GitHub Action add the following step to your workflow:

- id: govulncheck
  uses: golang/govulncheck-action@v1

By default the govulncheck Github Action will run with the latest version of Go and analyze all packages in the provided Go module. Assuming you have the latest Go version installed locally, this is equivalent to running the following on your command line:

$ govulncheck ./...

To specify a specific Go version, directory in which to run govulncheck, or package pattern, use the following syntax:

- id: govulncheck
  uses: golang/govulncheck-action@v1
     go-version-input: <your-Go-version>
     go-package: <your-package-pattern>

For example, the code snippet below can be used to run govulncheck against a repository on every push:

on: [push]

    runs-on: ubuntu-latest
    name: Run govulncheck
      - id: govulncheck
        uses: golang/govulncheck-action@v1
           go-version-input: 1.20.6
           go-package: ./...

govulncheck Github Action accepts several other optional inputs:

work-dir: directory in which to run govulncheck, default '.'
repo-checkout: checkout the repository, default true
check-latest: check for the latest Go version, default false

When a vulnerability is found, an error will be displayed for that GitHub job with information about the vulnerability and how to fix it. For example:



Our canonical Git repository is located at There is a mirror of the repository at See for details on how to contribute.


The main issue tracker for the time repository is located at

If you want to report a bug or have a feature suggestion, please file an issue at, prefixed with govulncheck-action: in the title.


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.