govulncheck.yml

name: Check for Go vulnerabilities
# Runs https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to proactively
# check for vulnerabilities in code packages if there were any changes made to
# any Go code or dependencies.
#
# Run `make vulncheck` from the root of the repo to run this workflow locally.
on:
  pull_request:
  merge_group:
  push:
    branches:
      - main
    paths:
      - "**.go"
      - go.mod
      - go.sum
      - Makefile
      - "!test/**"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
  govulncheck:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: echo "GO_VERSION=$(cat .github/workflows/go-version.env | grep GO_VERSION | cut -d '=' -f2)" >> $GITHUB_ENV

      - uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: govulncheck
        run: make vulncheck