Skip to content

ci: add govulncheck workflow to auto-create issues for vulnerabilities#278

Merged
maniSbindra merged 3 commits into
mainfrom
ci/govulncheck-workflow
May 27, 2026
Merged

ci: add govulncheck workflow to auto-create issues for vulnerabilities#278
maniSbindra merged 3 commits into
mainfrom
ci/govulncheck-workflow

Conversation

@maniSbindra

Copy link
Copy Markdown
Contributor

Summary

Adds a new GitHub Actions workflow that runs govulncheck and automatically creates/updates/closes GitHub issues to track vulnerability findings on main.

Changes

  • New file: .github/workflows/govulncheck.yml

How it works

  1. Triggers: Push to main, nightly at 4:30 AM UTC, and manual dispatch
  2. Scan: Runs govulncheck -test -json ./... and detects findings via jq
  3. Issue create/update: If vulnerabilities found, creates or updates a single tracking issue (deduplicated by title + govulncheck label) with a link to the workflow run
  4. Issue close: If no vulnerabilities found and an open issue exists, closes it automatically

Design decisions

  • Uses Taskfile for govulncheck install (matching existing workflow patterns)
  • Uses tee so findings appear in run logs for agents/humans to inspect
  • Detects findings from JSON content, not exit codes (more reliable with -json mode)
  • Validates JSON before deciding "no findings" to avoid wrongly closing issues
  • Uses --body-file instead of expression interpolation to prevent shell injection
  • Keeps issue body simple/static — points to workflow run for full details
  • Global concurrency group to prevent issue creation races
  • Follows existing repo patterns: SHA-pinned actions, emoji step names, ubuntu-24.04, persist-credentials: false, Taskfile, etc.

Closes #275

Add a new GitHub Actions workflow that:
- Runs govulncheck on push to main, nightly (4:30 AM UTC), and manual dispatch
- Auto-creates/updates a GitHub issue with a link to the workflow run
- Deduplicates by matching existing open issues by title + label
- Auto-closes the issue when all vulnerabilities are resolved

Design decisions:
- Use Taskfile for govulncheck install (matching existing workflow patterns)
- Use tee so findings appear in run logs for agents/humans to inspect
- Detect findings from JSON content with jq, not exit codes
- Validate JSON before deciding no findings (avoid wrongly closing issues)
- Use --body-file to avoid shell injection from expression interpolation
- Keep issue body simple/static, pointing to workflow run for details
- Global concurrency group to prevent issue creation races
- Follow existing repo patterns (SHA-pinned actions, emoji names, etc.)

Closes #275

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

Comment thread .github/workflows/govulncheck.yml
Comment thread .github/workflows/govulncheck.yml
Comment thread .github/workflows/govulncheck.yml
maniSbindra and others added 2 commits May 27, 2026 11:42
The backticks in the echo statement are intentional markdown formatting,
not command substitutions. Add shellcheck disable directive to silence
the warning.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@maniSbindra maniSbindra enabled auto-merge May 27, 2026 06:49
@maniSbindra maniSbindra added this pull request to the merge queue May 27, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks May 27, 2026
@maniSbindra maniSbindra added this pull request to the merge queue May 27, 2026
Merged via the queue into main with commit 9025d5e May 27, 2026
17 checks passed
@maniSbindra maniSbindra deleted the ci/govulncheck-workflow branch May 27, 2026 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: add govulncheck workflow to auto-create issues for detected vulnerabilities

2 participants