ci: Add govulncheck check (#461)

Author: jimmidyson

.github/workflows/checks.yml

@@ -219,3 +219,18 @@ jobs:
         run: |
           devbox run -- \
             kind delete cluster --name chart-testing || true
+
+  govulncheck:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        module: [api, common, .]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          work-dir: ${{ matrix.module }}
+          go-version-file: go.mod

devbox.json

@@ -16,6 +16,7 @@
     "golines@latest",
     "goreleaser@latest",
     "gotestsum@latest",
+    "govulncheck@latest",
     "helm-docs@latest",
     "hugo@latest",
     "kind@latest",

devbox.lock

@@ -909,6 +909,54 @@
         }
       }
     },
+    "govulncheck@latest": {
+      "last_modified": "2024-03-08T13:51:52Z",
+      "resolved": "github:NixOS/nixpkgs/a343533bccc62400e8a9560423486a3b6c11a23b#govulncheck",
+      "source": "devbox-search",
+      "version": "1.0.4",
+      "systems": {
+        "aarch64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/kcqx91mgrw03wgqzzx96xprfjzkkss96-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/kcqx91mgrw03wgqzzx96xprfjzkkss96-govulncheck-1.0.4"
+        },
+        "aarch64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/4m6afbm7qm1rq5ql9a0x4xcyzlj5i627-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/4m6afbm7qm1rq5ql9a0x4xcyzlj5i627-govulncheck-1.0.4"
+        },
+        "x86_64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/nx4dsdypvbvizasrgjhpv82kw0fjlgm4-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/nx4dsdypvbvizasrgjhpv82kw0fjlgm4-govulncheck-1.0.4"
+        },
+        "x86_64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/kp3rjfdaxjx0m021nxp0kng5xx26p2j5-govulncheck-1.0.4",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/kp3rjfdaxjx0m021nxp0kng5xx26p2j5-govulncheck-1.0.4"
+        }
+      }
+    },
     "helm-docs@latest": {
       "last_modified": "2024-03-08T13:51:52Z",
       "resolved": "github:NixOS/nixpkgs/a343533bccc62400e8a9560423486a3b6c11a23b#helm-docs",

make/go.mk

@@ -193,3 +193,17 @@ go-generate: ; $(info $(M) running go generate)
 go-mod-upgrade: ## Interactive check for direct module dependency upgrades
 go-mod-upgrade: ; $(info $(M) checking for direct module dependency upgrades)
 	go-mod-upgrade
+
+.PHONY: govulncheck
+govulncheck: ## Runs go fix for all modules in repository
+ifneq ($(wildcard $(REPO_ROOT)/go.mod),)
+govulncheck: govulncheck.root
+endif
+ifneq ($(words $(GO_SUBMODULES_NO_DOCS)),0)
+govulncheck: $(addprefix govulncheck.,$(GO_SUBMODULES_NO_DOCS:/go.mod=))
+endif
+
+.PHONY: ggovulncheck.%
+govulncheck.%: ## Runs golangci-lint for a specific module
+govulncheck.%: ; $(info $(M) running govulncheck on $* module)
+	$(if $(filter-out root,$*),cd $* && )govulncheck ./...