From a08d537622e20c25249d0a2230101509bb8e747d Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Wed, 10 Dec 2025 18:13:28 +0100 Subject: [PATCH 1/7] govulncheck: update Go before running the vuln checks The `entrypoint.sh` runs the `go mod verify` command which will download the version of Go matching the `toolchain` in `go.mod`. This requires the `GOTOOLCHAIN` env var to be set to `auto` This change sure that the vuln check is executed with the same version of Go as the one used to build the binary :) see https://go.dev/doc/toolchain also, upgrade the code and the builder image to Go 1.24 also, upgrade other GitHub actions to their latest versions Signed-off-by: Xavier Coulon --- .github/workflows/govulncheck-action-publish.yml | 2 +- .github/workflows/govulncheck-action-test-lint.yml | 2 +- govulncheck-action/Containerfile | 11 +++++++---- govulncheck-action/entrypoint.sh | 12 ++++++++++++ govulncheck-action/go.mod | 4 +--- 5 files changed, 22 insertions(+), 9 deletions(-) create mode 100755 govulncheck-action/entrypoint.sh diff --git a/.github/workflows/govulncheck-action-publish.yml b/.github/workflows/govulncheck-action-publish.yml index 8073fe0..9e77441 100644 --- a/.github/workflows/govulncheck-action-publish.yml +++ b/.github/workflows/govulncheck-action-publish.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Set short SHA id: short-sha diff --git a/.github/workflows/govulncheck-action-test-lint.yml b/.github/workflows/govulncheck-action-test-lint.yml index a3eedc8..c4031b0 100644 --- a/.github/workflows/govulncheck-action-test-lint.yml +++ b/.github/workflows/govulncheck-action-test-lint.yml @@ -16,7 +16,7 @@ jobs: uses: actions/checkout@v4 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version-file: govulncheck-action/go.mod diff --git a/govulncheck-action/Containerfile b/govulncheck-action/Containerfile index af1ced4..056fb1c 100644 --- a/govulncheck-action/Containerfile +++ b/govulncheck-action/Containerfile @@ -1,4 +1,4 @@ -FROM golang:1.23 as builder +FROM golang:1.24 as builder ARG GOOS=linux ARG GOARCH=amd64 @@ -8,13 +8,16 @@ WORKDIR /usr/src/app/ COPY . . RUN echo "Building for govulncheck $GOOS/$GOARCH" -RUN GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheck main.go +RUN GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheckx main.go FROM golang:1.23 # using a fresh golang image without the `WORKDIR` from the builder stage # see https://docs.github.com/en/actions/reference/workflows-and-actions/dockerfile-support#workdir # copy the binary from the builder stage -COPY --from=builder /usr/src/app/govulncheck /usr/local/bin/govulncheck +COPY --from=builder /usr/src/app/govulncheckx /usr/local/bin/govulncheckx +COPY --from=builder /usr/src/app/entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/usr/local/bin/govulncheck"] \ No newline at end of file +ENV GOTOOLCHAIN=auto + +ENTRYPOINT ["entrypoint.sh"] \ No newline at end of file diff --git a/govulncheck-action/entrypoint.sh b/govulncheck-action/entrypoint.sh new file mode 100755 index 0000000..1626b58 --- /dev/null +++ b/govulncheck-action/entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# upgrade the go version to match the `toolchain` directive in the `go.mod` file +# see https://go.dev/doc/toolchain +export GOTOOLCHAIN=auto +go mod verify + +# Check the version of Go +go version + +# Run the govulncheck command +govulncheckx $@ \ No newline at end of file diff --git a/govulncheck-action/go.mod b/govulncheck-action/go.mod index 89b4577..46bc01f 100644 --- a/govulncheck-action/go.mod +++ b/govulncheck-action/go.mod @@ -1,8 +1,6 @@ module github.com/codeready-toolchain/toolchain-cicd/govulncheck-action -go 1.23.0 - -toolchain go1.23.12 +go 1.24.0 require ( github.com/spf13/cobra v1.9.1 From b622ec139d7e3068536e5125ac88a6f660c4e246 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Thu, 11 Dec 2025 10:09:37 +0100 Subject: [PATCH 2/7] testing image with custom entrypoint Signed-off-by: Xavier Coulon --- govulncheck-action/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/govulncheck-action/action.yaml b/govulncheck-action/action.yaml index ac08382..9763da1 100644 --- a/govulncheck-action/action.yaml +++ b/govulncheck-action/action.yaml @@ -15,7 +15,7 @@ inputs: runs: using: 'docker' - image: 'docker://quay.io/codeready-toolchain/govulncheck-action:latest' + image: 'docker://quay.io/codeready-toolchain/govulncheck-action:entrypoint-test' args: - --path=${{ inputs.path }} - --config=${{ inputs.config }} From d7e4a91f4b8b0e05786461b9b9ed70da306258e9 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Thu, 11 Dec 2025 10:12:02 +0100 Subject: [PATCH 3/7] fixing typo Signed-off-by: Xavier Coulon --- govulncheck-action/Containerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/govulncheck-action/Containerfile b/govulncheck-action/Containerfile index 056fb1c..f9f4a1a 100644 --- a/govulncheck-action/Containerfile +++ b/govulncheck-action/Containerfile @@ -7,7 +7,7 @@ WORKDIR /usr/src/app/ COPY . . -RUN echo "Building for govulncheck $GOOS/$GOARCH" +RUN echo "Building govulncheckx binary for $GOOS/$GOARCH" RUN GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheckx main.go FROM golang:1.23 From 148c4bd00bd4e82e2025bdf4028b568cc693d716 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Thu, 11 Dec 2025 10:20:42 +0100 Subject: [PATCH 4/7] restore image tag to use and add comment Signed-off-by: Xavier Coulon --- govulncheck-action/Containerfile | 4 +++- govulncheck-action/action.yaml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/govulncheck-action/Containerfile b/govulncheck-action/Containerfile index f9f4a1a..9718816 100644 --- a/govulncheck-action/Containerfile +++ b/govulncheck-action/Containerfile @@ -10,9 +10,11 @@ COPY . . RUN echo "Building govulncheckx binary for $GOOS/$GOARCH" RUN GOOS=$GOOS GOARCH=$GOARCH go build -v -o govulncheckx main.go -FROM golang:1.23 +FROM golang:1.24 # using a fresh golang image without the `WORKDIR` from the builder stage # see https://docs.github.com/en/actions/reference/workflows-and-actions/dockerfile-support#workdir +# using golang 1.24 but the entrypoint will trigger an install of the actual go version, +# even if it is 1.23 # copy the binary from the builder stage COPY --from=builder /usr/src/app/govulncheckx /usr/local/bin/govulncheckx diff --git a/govulncheck-action/action.yaml b/govulncheck-action/action.yaml index 9763da1..ac08382 100644 --- a/govulncheck-action/action.yaml +++ b/govulncheck-action/action.yaml @@ -15,7 +15,7 @@ inputs: runs: using: 'docker' - image: 'docker://quay.io/codeready-toolchain/govulncheck-action:entrypoint-test' + image: 'docker://quay.io/codeready-toolchain/govulncheck-action:latest' args: - --path=${{ inputs.path }} - --config=${{ inputs.config }} From 3ef0f95550c48c209bf7c7d21c0ac9ad9cdc357e Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Thu, 11 Dec 2025 10:29:18 +0100 Subject: [PATCH 5/7] remove duplicate statement Signed-off-by: Xavier Coulon --- govulncheck-action/Containerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/govulncheck-action/Containerfile b/govulncheck-action/Containerfile index 9718816..e934840 100644 --- a/govulncheck-action/Containerfile +++ b/govulncheck-action/Containerfile @@ -20,6 +20,4 @@ FROM golang:1.24 COPY --from=builder /usr/src/app/govulncheckx /usr/local/bin/govulncheckx COPY --from=builder /usr/src/app/entrypoint.sh /usr/local/bin/entrypoint.sh -ENV GOTOOLCHAIN=auto - ENTRYPOINT ["entrypoint.sh"] \ No newline at end of file From 9c27da96b0f1a29b1de5a81bcf1c6a995bbb63c3 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Thu, 11 Dec 2025 10:30:09 +0100 Subject: [PATCH 6/7] apply coderabbitai suggestion Signed-off-by: Xavier Coulon --- govulncheck-action/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/govulncheck-action/entrypoint.sh b/govulncheck-action/entrypoint.sh index 1626b58..24a2571 100755 --- a/govulncheck-action/entrypoint.sh +++ b/govulncheck-action/entrypoint.sh @@ -9,4 +9,4 @@ go mod verify go version # Run the govulncheck command -govulncheckx $@ \ No newline at end of file +govulncheckx "$@" \ No newline at end of file From 5abfa80cba5ed6db46744dcbd7934aa329c44806 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Thu, 11 Dec 2025 11:07:50 +0100 Subject: [PATCH 7/7] specify go version via toolchain Signed-off-by: Xavier Coulon --- govulncheck-action/go.mod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/govulncheck-action/go.mod b/govulncheck-action/go.mod index 46bc01f..0e328d1 100644 --- a/govulncheck-action/go.mod +++ b/govulncheck-action/go.mod @@ -2,6 +2,8 @@ module github.com/codeready-toolchain/toolchain-cicd/govulncheck-action go 1.24.0 +toolchain go1.24.11 + require ( github.com/spf13/cobra v1.9.1 github.com/stretchr/testify v1.9.0