✨ Implement support for private deps via GOPRIVATE & GH PAT (#21)

* ✨ Defined Build Args

* ✨ Passing args from ENV

* 🔧 Escaping

* Issue with escaping

* 🔧 Moved config to correct place

* ✨ Just wanting Token now

* 🐛 Using add flag

* 🐛 Corrected default value type

* 🐛 Mixed up states

* 🚧 Investigate weird behaviour

* 🚧 Print GOPRIVATE

* 🐛 Using correct config override

* ✨ Finalized Feature

* 📝 Documented feature

* 📝 Added missing link

Dockerfile

@@ -16,5 +16,11 @@ FROM golang:$GOLANG_VERSION
 ARG VULNCHECK_VERSION=latest 
 RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION
 
+ARG GH_PAT_TOKEN
+RUN if [[ -n "$GH_PAT_TOKEN" ]]; then echo "No token was provided"; else git config --global --add url."https://govulncheck_action:$GH_PAT_TOKEN@github.com/".insteadOf "https://github.com/"; fi
+
+ARG GOPRIVATE
+ENV GOPRIVATE=$GOPRIVATE
+
 COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action
 ENTRYPOINT ["/action"]

README.md

@@ -57,6 +57,30 @@ jobs:
 ```
 </details>
 
+<details>
+  <summary>
+  Example configuration for repository that relies on a private library.
+  </summary>
+
+> :information_source: This action for the moment works with [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) while creating one make sure it has write-read access to the dependent repositories as this is required for `$ go get`. Further following best practices create the token with the smallest possible scope.
+
+```yaml
+name: My Workflow
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Scan for Vulnerabilities in Code
+        uses: Templum/govulncheck-action@<version>
+        env:
+          GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
+          GOPRIVATE: "github.com/your-name/private-lib"
+
+```
+</details>
+
 <details>
   <summary>
   This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact.
@@ -142,4 +166,4 @@ jobs:
 
 > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).
 
-> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
+> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)

action.yml

@@ -20,18 +20,18 @@ inputs:
     required: false
   fail-on-vuln:
     description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not"
-    default: false
+    default: "false"
     required: false
   skip-upload:
     description: "This flag allows you to skip the sarif upload, it will be instead written to disk"
-    default: false
+    default: "false"
     required: false
 
 runs:
   using: "composite"
   steps:
     - id: build
-      run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
+      run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
       shell: bash
     - id: run
       run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e DEBUG=${DEBUG} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local

main.go

@@ -39,6 +39,7 @@ func main() {
 		Str("Go-Version", info.Version).
 		Str("Go-Os", info.Os).
 		Str("Go-Arch", info.Arch).
+		Str("GOPRIVATE", os.Getenv("GOPRIVATE")).
 		Msg("GoEnvironment Details:")
 
 	logger.Debug().