ci: Use govulncheck task to use same version of go as project

mesosphere · Apr 10, 2024 · e269f2f · e269f2f
1 parent 1c49cd5
commit e269f2f
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 5 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -158,7 +158,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.cache/pre-commit
-          key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+          key: pre-commit-3|${{ hashFiles('.pre-commit-config.yaml') }}
 
       - name: Run pre-commit
         run: devbox run -- task pre-commit:run
@@ -171,8 +171,10 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v4
 
-      - id: govulncheck
-        uses: golang/govulncheck-action@v1
+      - name: Install devbox
+        uses: jetpack-io/devbox-install-action@v0.8.0
         with:
-          go-version-file: go.mod
-          check-latest: true
+          enable-cache: true
+
+      - id: govulncheck
+        run: devbox run -- task go:vulncheck
diff --git a/devbox.json b/devbox.json
@@ -14,6 +14,7 @@
     "golines@latest",
     "goreleaser@latest",
     "gotestsum@latest",
+    "govulncheck@latest",
     "ko@latest",
     "kubernetes-helm@latest",
     "pre-commit@latest",

diff --git a/devbox.lock b/devbox.lock
@@ -789,6 +789,54 @@
         }
       }
     },
+    "govulncheck@latest": {
+      "last_modified": "2024-03-22T11:26:23Z",
+      "resolved": "github:NixOS/nixpkgs/a3ed7406349a9335cb4c2a71369b697cecd9d351#govulncheck",
+      "source": "devbox-search",
+      "version": "1.0.4",
+      "systems": {
+        "aarch64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/w6n78s03arv75ymqhzb4lgbi3kx5kx5x-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/w6n78s03arv75ymqhzb4lgbi3kx5kx5x-govulncheck-1.0.4"
+        },
+        "aarch64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/vzmbb40a0xy6hr9zw6r4jqhy786qpiaz-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/vzmbb40a0xy6hr9zw6r4jqhy786qpiaz-govulncheck-1.0.4"
+        },
+        "x86_64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/zgcyah07vgd222pw8lksr7d4mys2gx1d-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/zgcyah07vgd222pw8lksr7d4mys2gx1d-govulncheck-1.0.4"
+        },
+        "x86_64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/6lxqgj80bhikfq3a9azk6mfrlskb4rv2-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/6lxqgj80bhikfq3a9azk6mfrlskb4rv2-govulncheck-1.0.4"
+        }
+      }
+    },
     "ko@latest": {
       "last_modified": "2024-03-22T11:26:23Z",
       "resolved": "github:NixOS/nixpkgs/a3ed7406349a9335cb4c2a71369b697cecd9d351#ko",

diff --git a/tasks/go.yaml b/tasks/go.yaml
@@ -73,3 +73,25 @@ tasks:
         task: clean-macro
         vars:
           MODULE_DIR: '{{.GO_SUBMODULE_PATH}}'
+
+  vulncheck-macro:
+    internal: true
+    dir: '{{.MODULE_DIR}}'
+    requires:
+      vars:
+        - MODULE_DIR
+    cmds:
+      - govulncheck ./...
+
+  vulncheck:
+    desc: Runs govulncheck for all modules in repository
+    vars:
+      GO_SUBMODULES: '$fd go.mod --min-depth 2 --strip-cwd-prefix --exec echo {//}/'
+    cmds:
+      - task: vulncheck-macro
+        vars:
+          MODULE_DIR: .
+      - for: {var: GO_SUBMODULES, as: GO_SUBMODULE_PATH}
+        task: vulncheck-macro
+        vars:
+          MODULE_DIR: '{{.GO_SUBMODULE_PATH}}'