|
|
@@ -0,0 +1,37 @@
|
|
|
+name: govulncheck
|
|
|
+
|
|
|
+on:
|
|
|
+ schedule:
|
|
|
+ - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
|
|
|
+ workflow_dispatch: # allow manual trigger for testing
|
|
|
+ pull_request:
|
|
|
+ paths:
|
|
|
+ - ".github/workflows/govulncheck.yml"
|
|
|
+
|
|
|
+jobs:
|
|
|
+ source-scan:
|
|
|
+ runs-on: ubuntu-latest
|
|
|
+
|
|
|
+ steps:
|
|
|
+ - name: Check out code into the Go module directory
|
|
|
+ uses: actions/checkout@v3
|
|
|
+
|
|
|
+ - name: Install govulncheck
|
|
|
+ run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
|
+
|
|
|
+ - name: Scan source code for known vulnerabilities
|
|
|
+ run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
|
|
|
+
|
|
|
+ - uses: ruby/[email protected]
|
|
|
+ with:
|
|
|
+ payload: >
|
|
|
+ {
|
|
|
+ "attachments": [{
|
|
|
+ "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks>
|
|
|
+ (<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|commit>) of ${{ github.repository }}@${{ github.ref_name }} by ${{ github.event.head_commit.committer.name }}",
|
|
|
+ "color": "danger"
|
|
|
+ }]
|
|
|
+ }
|
|
|
+ env:
|
|
|
+ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
|
+ if: failure() && github.event_name == 'schedule'
|
Andrew Lytvynov