govulncheck: update Go before running the vuln checks

[xcoulon]

The entrypoint.sh runs the go mod verify command which will download
the version of Go matching the toolchain in go.mod.
This requires the GOTOOLCHAIN env var to be set to auto
This change sure that the vuln check is executed with the same version of
Go as the one used to build the binary :)

see https://go.dev/doc/toolchain

also, upgrade the code and the builder image to Go 1.24
also, upgrade other GitHub actions to their latest versions

Signed-off-by: Xavier Coulon xcoulon@redhat.com

Summary by CodeRabbit

• Chores
  • Upgraded Go toolchain to 1.24 across the project and container image.
  • Updated CI actions to newer setup/checkout versions.
  • Refined container image: updated base, introduced an entrypoint script, and adjusted the runtime artifact name for the final image.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates to CI/workflows, container build, and Go toolchain: workflows bump actions/checkout and actions/setup-go to v6; Containerfile and go.mod move to Go 1.24, the built binary is renamed to govulncheckx, and a new entrypoint.sh is added and used as the container ENTRYPOINT.

Changes

Cohort / File(s)	Summary
GitHub Actions workflows \.github/workflows/govulncheck-action-publish.yml, \.github/workflows/govulncheck-action-test-lint.yml	Bumped actions/checkout from v5→v6 and actions/setup-go from v5→v6 in workflow steps.
Container image & build govulncheck-action/Containerfile	Base images updated from golang:1.23→golang:1.24; build output/binary renamed govulncheck→govulncheckx; copies entrypoint.sh into image and sets ENTRYPOINT to it.
Entrypoint script govulncheck-action/entrypoint.sh	New Bash entrypoint that sets GOTOOLCHAIN=auto, runs go mod verify, prints go version, then execs govulncheckx with forwarded args.
Go module / toolchain govulncheck-action/go.mod	go directive bumped from 1.23.0 → 1.24.0 and toolchain reference updated to go1.24.x.

Sequence Diagram(s)

(omitted — changes do not introduce a multi-component runtime control flow requiring a sequence diagram)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Verify binary rename consistency: govulncheckx referenced everywhere (build, entrypoint, Containerfile, any packaging).
• Inspect entrypoint.sh for correct exec/argument forwarding and safe error handling (use of exec vs. shell invocation).
• Confirm Go 1.24 toolchain in go.mod and base images aligns with module requirements and any CI expectations.
• Check workflows for any deprecated inputs when upgrading actions/setup-go and actions/checkout to v6.

Possibly related PRs

• govulncheck: path to go.mod #156 — touches govulncheck-action Go setup and workflow steps related to setup-go configuration.
• bump actions/setup-go from 5 to 6 #153 — updates actions/setup-go usage in govulncheck-action workflows (v5→v6).
• govulncheck: run from a Container #159 — modifies container/workflow integration for govulncheck-action, related to Containerfile and entrypoint changes.

Suggested reviewers

• MatousJobanek
• rsoaresd
• alexeykazakov

Poem

🐇 I hopped through Docker, Go, and CI bright,

Renamed my binary and set entrypoint right.
From one-two-three to one-two-four I spring,
Workflows updated — hear the build bells ring! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'govulncheck: update Go before running the vuln checks' directly and accurately reflects the main change: updating the Go toolchain before executing vulnerability checks via an entrypoint script.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc2c77b and a08d537.

📒 Files selected for processing (5)

• .github/workflows/govulncheck-action-publish.yml (1 hunks)
• .github/workflows/govulncheck-action-test-lint.yml (1 hunks)
• govulncheck-action/Containerfile (2 hunks)
• govulncheck-action/entrypoint.sh (1 hunks)
• govulncheck-action/go.mod (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

govulncheck-action/entrypoint.sh

[error] 12-12: Double quote array expansions to avoid re-splitting elements.

(SC2068)

🔇 Additional comments (5)

govulncheck-action/Containerfile (1)

1-1: LGTM on the builder upgrade, binary rename, and entrypoint setup.

The following changes look correct:

• Builder image upgraded to golang:1.24
• Binary renamed to govulncheckx to avoid conflicts
• Both binary and entrypoint script properly copied
• GOTOOLCHAIN=auto environment variable set
• Entrypoint script configured as the container entry point

These changes align well with the PR objectives once the final image version is corrected.

Also applies to: 11-11, 18-19, 21-21, 23-23

govulncheck-action/entrypoint.sh (1)

6-6: Verify that go mod verify runs in the correct working directory.

The script runs go mod verify which requires access to go.mod and go.sum files. Ensure that when this entrypoint is invoked, the working directory is set to the target repository being scanned (not the govulncheck-action directory itself). Check the action.yml configuration and Dockerfile/Containerfile to confirm the WORKDIR is properly set to the repository root where the Go module files are located.

.github/workflows/govulncheck-action-publish.yml (1)

16-16: v6 is the latest stable version of actions/checkout—no action needed.

Verification confirms that actions/checkout@v6 is the current latest stable version available on the GitHub Marketplace.

govulncheck-action/go.mod (1)

3-3: Go 1.24.0 is officially released and stable (as of February 11, 2025), so no action is required.

.github/workflows/govulncheck-action-test-lint.yml (1)

19-19: actions/setup-go@v6 is the latest stable version and requires no changes.

The v6 tag currently resolves to v6.1.0 (released November 20, 2025), which is the latest stable release. Using the major version tag (@v6) is appropriate and allows for automatic patch and minor version updates while preventing breaking changes from major version upgrades.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

govulncheck-action/Containerfile (1)

13-13: Final image still on Go 1.23 – update to 1.24 to match builder and runtime expectations.

The final stage still uses golang:1.23, while the builder and go.mod are on 1.24. Since the container runs go mod verify and relies on GOTOOLCHAIN=auto to pull the toolchain declared in the repo, aligning the base image to Go 1.24 avoids version skew and keeps behavior consistent with the build environment.

Consider updating the final stage as well:

-FROM golang:1.23
+FROM golang:1.24

🧹 Nitpick comments (3)

govulncheck-action/Containerfile (2)

10-11: Optional: collapse echo + build into a single RUN layer.

Functionally this is fine, but you could slightly simplify the image and reduce layers by combining these into one RUN:

-RUN echo "Building govulncheckx binary for $GOOS/$GOARCH"
-RUN GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheckx main.go
+RUN echo "Building govulncheckx binary for $GOOS/$GOARCH" && \
+    GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheckx main.go

---

18-23: Ensure entrypoint.sh is executable and consistent with ENV GOTOOLCHAIN usage.

Copying entrypoint.sh into /usr/local/bin and using ENTRYPOINT ["entrypoint.sh"] relies on:

• /usr/local/bin being on PATH (true for the standard golang image), and
• the script having the executable bit set in git so Docker preserves it on COPY.

Also, ENV GOTOOLCHAIN=auto here complements the entrypoint logic; if the script is also exporting GOTOOLCHAIN=auto, you’re double-covered (redundant but harmless). Just ensure the shebang and shell used in entrypoint.sh matches what’s available in the base image.

govulncheck-action/action.yaml (1)

18-18: Confirm the :entrypoint-test image tag is intended for production use.

Using the govulncheck-action:entrypoint-test tag here looks like a temporary/testing tag. Before merging, consider whether this should point to a stable tag (e.g. :latest or a versioned tag) that will be published by your release workflow, so consumers of the action don’t depend on a test-specific image name.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a08d537 and d7e4a91.

📒 Files selected for processing (2)

• govulncheck-action/Containerfile (2 hunks)
• govulncheck-action/action.yaml (1 hunks)

🔇 Additional comments (1)

govulncheck-action/Containerfile (1)

1-1: Builder upgraded to Go 1.24 – looks good.

Using golang:1.24 in the builder stage aligns with the updated go.mod / toolchain requirements and the PR’s goal of testing against Go 1.24.

[xcoulon]

works fine on codeready-toolchain/guardian-cockpit 🤩

...
go: downloading go1.24.11 (linux/amd64)
all modules verified
go version go1.24.11 linux/amd64
...

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

govulncheck-action/Containerfile (1)

13-25: Final stage now matches Go 1.24; consider a couple of small hardening tweaks.

The previous mismatch between builder and final image is resolved — both now use golang:1.24, and adding GOTOOLCHAIN=auto plus wiring entrypoint.sh is consistent with the described behavior.

Two optional improvements you may want to consider:

• Use an absolute entrypoint path for clarity and to avoid relying on PATH: ENTRYPOINT ["/usr/local/bin/entrypoint.sh"].
• Optionally pin the image to a patch version (golang:1.24.x) or digest for better reproducibility.

If you decide to pin, ensure the chosen golang:1.24.x (or digest) matches the version you expect GOTOOLCHAIN to bootstrap against in your target repositories.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d7e4a91 and 148c4bd.

📒 Files selected for processing (1)

• govulncheck-action/Containerfile (2 hunks)

🔇 Additional comments (1)

govulncheck-action/Containerfile (1)

1-11: Builder stage upgrade and binary rename look consistent.

Using golang:1.24 in the builder and emitting govulncheckx (with the corresponding echo) aligns with the PR intent and keeps the build stage self-consistent. No issues from this file’s context.

Please just double‑check that any callers (e.g., entrypoint script or CI wiring) expect the govulncheckx binary name and there are no remaining references to the old govulncheck name elsewhere in the repo.

[MatousJobanek]

Nice

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

govulncheck-action/Containerfile (1)

23-23: Prefer absolute path in ENTRYPOINT for clarity.

While entrypoint.sh should be found via PATH lookup, using the absolute path makes the configuration more explicit and avoids any potential PATH-related issues.

Apply this diff to use the absolute path:

-ENTRYPOINT ["entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 148c4bd and 5abfa80.

📒 Files selected for processing (3)

• govulncheck-action/Containerfile (2 hunks)
• govulncheck-action/entrypoint.sh (1 hunks)
• govulncheck-action/go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• govulncheck-action/go.mod
• govulncheck-action/entrypoint.sh

🔇 Additional comments (2)

govulncheck-action/Containerfile (2)

1-1: LGTM! Go 1.24 upgrade and binary rename look good.

The builder and final stages both correctly use golang:1.24, and the binary has been consistently renamed to govulncheckx throughout the build process.

Also applies to: 10-11, 13-13

---

16-17: LGTM! Helpful documentation.

The comments clearly explain the entrypoint's behavior regarding Go version management, which aligns with the PR objectives.