diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 1fb1e19c..ddb8db90 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -158,7 +158,7 @@ jobs: uses: actions/cache@v4 with: path: ~/.cache/pre-commit - key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} + key: pre-commit-3|${{ hashFiles('.pre-commit-config.yaml') }} - name: Run pre-commit run: devbox run -- task pre-commit:run @@ -171,8 +171,10 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - id: govulncheck - uses: golang/govulncheck-action@v1 + - name: Install devbox + uses: jetpack-io/devbox-install-action@v0.8.0 with: - go-version-file: go.mod - check-latest: true + enable-cache: true + + - id: govulncheck + run: devbox run -- task go:vulncheck diff --git a/devbox.json b/devbox.json index fe9aec26..aac3aa46 100644 --- a/devbox.json +++ b/devbox.json @@ -14,6 +14,7 @@ "golines@latest", "goreleaser@latest", "gotestsum@latest", + "govulncheck@latest", "ko@latest", "kubernetes-helm@latest", "pre-commit@latest", diff --git a/devbox.lock b/devbox.lock index 321d536a..4c49ad42 100644 --- a/devbox.lock +++ b/devbox.lock @@ -789,6 +789,54 @@ } } }, + "govulncheck@latest": { + "last_modified": "2024-03-22T11:26:23Z", + "resolved": "github:NixOS/nixpkgs/a3ed7406349a9335cb4c2a71369b697cecd9d351#govulncheck", + "source": "devbox-search", + "version": "1.0.4", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/w6n78s03arv75ymqhzb4lgbi3kx5kx5x-govulncheck-1.0.4", + "default": true + } + ], + "store_path": "/nix/store/w6n78s03arv75ymqhzb4lgbi3kx5kx5x-govulncheck-1.0.4" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/vzmbb40a0xy6hr9zw6r4jqhy786qpiaz-govulncheck-1.0.4", + "default": true + } + ], + "store_path": "/nix/store/vzmbb40a0xy6hr9zw6r4jqhy786qpiaz-govulncheck-1.0.4" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/zgcyah07vgd222pw8lksr7d4mys2gx1d-govulncheck-1.0.4", + "default": true + } + ], + "store_path": "/nix/store/zgcyah07vgd222pw8lksr7d4mys2gx1d-govulncheck-1.0.4" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/6lxqgj80bhikfq3a9azk6mfrlskb4rv2-govulncheck-1.0.4", + "default": true + } + ], + "store_path": "/nix/store/6lxqgj80bhikfq3a9azk6mfrlskb4rv2-govulncheck-1.0.4" + } + } + }, "ko@latest": { "last_modified": "2024-03-22T11:26:23Z", "resolved": "github:NixOS/nixpkgs/a3ed7406349a9335cb4c2a71369b697cecd9d351#ko", diff --git a/tasks/go.yaml b/tasks/go.yaml index cdb533f1..21918d69 100644 --- a/tasks/go.yaml +++ b/tasks/go.yaml @@ -73,3 +73,25 @@ tasks: task: clean-macro vars: MODULE_DIR: '{{.GO_SUBMODULE_PATH}}' + + vulncheck-macro: + internal: true + dir: '{{.MODULE_DIR}}' + requires: + vars: + - MODULE_DIR + cmds: + - govulncheck ./... + + vulncheck: + desc: Runs govulncheck for all modules in repository + vars: + GO_SUBMODULES: '$fd go.mod --min-depth 2 --strip-cwd-prefix --exec echo {//}/' + cmds: + - task: vulncheck-macro + vars: + MODULE_DIR: . + - for: {var: GO_SUBMODULES, as: GO_SUBMODULE_PATH} + task: vulncheck-macro + vars: + MODULE_DIR: '{{.GO_SUBMODULE_PATH}}'