govulncheck: run from a container

[xcoulon]

see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159

Signed-off-by: Xavier Coulon xcoulon@redhat.com

Summary by CodeRabbit

• Chores
  • CI vulnerability-check workflow updated to enable debug output and small non-functional formatting tweaks.
  • Vulnerability suppression metadata updated: several silence-until dates extended and two new entries added (non-functional metadata changes).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated the govulncheck GitHub Actions workflow and the vulnerability-silence manifest: the workflow step parameters were changed (removed some inputs, added debug), and multiple silence-until dates were extended along with two new vulnerability entries in .govulncheck.yaml.

Changes

Cohort / File(s)	Summary
Workflow configuration /.github/workflows/govulncheck.yml	Removed go-version-file: go.mod and cache: false from the govulncheck step; added debug: true (with comment); retained config: .govulncheck.yaml.
Vulnerability-silence manifest /.govulncheck.yaml	Updated silence-until dates for vulnerabilities GO-2025-4013, GO-2025-4012, GO-2025-4011, GO-2025-4010, GO-2025-4009, GO-2025-4008, GO-2025-4007 (moved to 2026-01-08); added GO-2025-4155 (2026-01-09) and GO-2025-4175 (2026-01-10); minor newline metadata edits.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check workflow runs after removing go-version-file and cache to ensure govulncheck action still resolves correctly.
• Confirm debug: true was intentionally enabled and that log verbosity is acceptable.
• Verify .govulncheck.yaml paths and entries are valid and that date changes align with policy.

Possibly related PRs

• update .govulncheck.yaml #556 — edits overlapping .govulncheck.yaml vulnerability entries (silence dates/IDs).
• build: switch to toolchain-cicd/govulncheck-action #542 — related changes to the govulncheck CI workflow and silence entries.

Suggested labels

lgtm

Suggested reviewers

• mfrancisc
• MatousJobanek
• alexeykazakov

Poem

🐇 I hopped through YAML lines tonight,

Debug turned on, dates set just right,
Two new IDs tucked in with care,
Workflow trimmed and tidy as a hare,
A small update — I nibble with delight.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'govulncheck: run from a container' does not match the actual changes shown in the raw summary, which involve updating govulncheck configuration files and vulnerability silence dates rather than implementing container-based execution.	Update the PR title to accurately reflect the actual changes, such as 'govulncheck: update vulnerability silence dates and add workflow debug flag' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e13cc8 and 70c8dda.

📒 Files selected for processing (1)

• .govulncheck.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & push operator bundles for e2e tests

🔇 Additional comments (2)

.govulncheck.yaml (2)

7-7: Approve: Updated silence-until dates and structure.

The changes appropriately extend the silence-until dates for existing Go stdlib vulnerabilities (GO-2025-4013, 4012, 4011, 4010, 4009, 4008, 4007) to 2026-01-08. The YAML structure is valid, comments are clear and informative, and the vulnerability references are correct.

Also applies to: 13-13, 19-19, 25-25, 31-31, 37-37, 43-43

---

44-55: Verify: Confirm intent of staggered silence-until dates.

Two new vulnerabilities are added (GO-2025-4155 and GO-2025-4175) but their silence-until dates (2026-01-09 and 2026-01-10 respectively) differ from the existing vulnerabilities (2026-01-08).

Confirm whether this staggering is intentional (e.g., different risk profiles, phased upgrade plan) or if they should be aligned for consistency in maintenance.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.54%. Comparing base (6c59623) to head (0da54ad).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #561   +/-   ##
=======================================
  Coverage   81.54%   81.54%           
=======================================
  Files          46       46           
  Lines        2802     2802           
=======================================
  Hits         2285     2285           
  Misses        431      431           
  Partials       86       86           

Flag	Coverage Δ
unittests	81.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rsoaresd]

🚀

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rsoaresd]

/retest

infra issue - publish-components-for-e2e-tests failed with:

+ curl -L -s https://github.com/operator-framework/operator-sdk/releases/download/v1.40.0/checksums.txt.asc -o checksums.txt.asc
+ gpg -u 'Operator SDK (release) <cncf-operator-sdk@cncf.io>' --verify checksums.txt.asc
gpg: assuming signed data in 'checksums.txt'
gpg: Signature made Mon Jun  2 18:59:36 2025 UTC
gpg:                using RSA key 8613DB87A5BA825EF3FD0EBE2A859D08BF9886DB
gpg: Good signature from "Operator SDK (release) <cncf-operator-sdk@cncf.io>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 3B2F 1481 D146 2380 80B3  46BB 0529 96E2 A20B 5C7E
     Subkey fingerprint: 8613 DB87 A5BA 825E F3FD  0EBE 2A85 9D08 BF98 86DB
+ chmod +x operator-sdk
+ sudo cp operator-sdk /bin/operator-sdk
+ rm operator-sdk
+ operator-sdk version
/usr/bin/operator-sdk: line 1: !DOCTYPE: No such file or directory
/usr/bin/operator-sdk: line 2: !--
: No such file or directory
/usr/bin/operator-sdk: line 3: $'\r': command not found
/usr/bin/operator-sdk: line 4: Hello: command not found
/usr/bin/operator-sdk: line 6: $'\r': command not found
/usr/bin/operator-sdk: line 7: unexpected EOF while looking for matching `''

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, rsoaresd, xcoulon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,rsoaresd,xcoulon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment