Skip to content

ci: add govulncheck workflow to auto-create issues for detected vulnerabilities #55

Description

@maniSbindra

Summary

The ci.yml workflow currently runs govulncheck as part of CI. When it detects known vulnerabilities in dependencies, it fails the workflow and blocks PRs from merging — even when the vulnerabilities are pre-existing and unrelated to the PR changes.

Proposal

Add a new GitHub Actions workflow (govulncheck.yml) that:

  1. Runs govulncheck on every push to main (and nightly + manual trigger)
  2. Automatically creates a GitHub issue with structured vulnerability details when findings are detected
  3. Deduplicates by updating the existing open issue (matched by title + govulncheck label) instead of creating duplicates
  4. Auto-closes the issue when all vulnerabilities are resolved

This keeps the existing CI workflow unchanged while providing automated tracking and visibility for vulnerability findings.

Acceptance Criteria

  • New .github/workflows/govulncheck.yml workflow file
  • Triggers: push to main, nightly schedule, manual dispatch
  • Runs govulncheck -test -json ./... and detects findings
  • Creates/updates a single tracking issue (deduplicated by title + label)
  • Auto-closes the issue when vulnerabilities are resolved
  • Uses existing repo patterns: SHA-pinned actions, Taskfile, ubuntu-24.04, persist-credentials: false
  • Uses --body-file instead of expression interpolation to prevent shell injection
  • Global concurrency group to prevent issue creation races

Reference

Based on the equivalent workflow added to Azure/mpf in Azure/mpf#278

Metadata

Metadata

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions