Summary
The ci.yml workflow currently runs govulncheck as part of CI. When it detects known vulnerabilities in dependencies, it fails the workflow and blocks PRs from merging — even when the vulnerabilities are pre-existing and unrelated to the PR changes.
Proposal
Add a new GitHub Actions workflow (govulncheck.yml) that:
- Runs
govulncheck on every push to main (and nightly + manual trigger)
- Automatically creates a GitHub issue with structured vulnerability details when findings are detected
- Deduplicates by updating the existing open issue (matched by title +
govulncheck label) instead of creating duplicates
- Auto-closes the issue when all vulnerabilities are resolved
This keeps the existing CI workflow unchanged while providing automated tracking and visibility for vulnerability findings.
Acceptance Criteria
Reference
Based on the equivalent workflow added to Azure/mpf in Azure/mpf#278
Summary
The
ci.ymlworkflow currently runsgovulncheckas part of CI. When it detects known vulnerabilities in dependencies, it fails the workflow and blocks PRs from merging — even when the vulnerabilities are pre-existing and unrelated to the PR changes.Proposal
Add a new GitHub Actions workflow (
govulncheck.yml) that:govulncheckon every push tomain(and nightly + manual trigger)govulnchecklabel) instead of creating duplicatesThis keeps the existing CI workflow unchanged while providing automated tracking and visibility for vulnerability findings.
Acceptance Criteria
.github/workflows/govulncheck.ymlworkflow filemain, nightly schedule, manual dispatchgovulncheck -test -json ./...and detects findingsubuntu-24.04,persist-credentials: false--body-fileinstead of expression interpolation to prevent shell injectionReference
Based on the equivalent workflow added to Azure/mpf in Azure/mpf#278