From 32ea217f39d61317cebf9a5cfb6b44344ffaf066 Mon Sep 17 00:00:00 2001
From: Nick Otter <notter@kochava.com>
Date: Wed, 9 Oct 2024 14:26:26 -0600
Subject: [PATCH 1/3] ci(go): run govulncheck as part of testing

---
 .github/workflows/go_app_pull_requests.yml | 7 +++++++
 .github/workflows/go_lib_pull_requests.yml | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/.github/workflows/go_app_pull_requests.yml b/.github/workflows/go_app_pull_requests.yml
index 7cdf08f..0535982 100644
--- a/.github/workflows/go_app_pull_requests.yml
+++ b/.github/workflows/go_app_pull_requests.yml
@@ -94,6 +94,13 @@ jobs:
       - name: go test
         run: find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
           | xargs -n1 -I{} bash -c "pushd {}; go test --race -v ./..."
+      # Install govulncheck
+      - id: install-govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      # Run govulncheck for every Go module
+      - id: govulncheck
+        run: find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
+          | xargs -n1 -I{} bash -c "pushd {}; govulncheck ./..."
   docker-build:
     #
     # ensures the docker image will build without pushing to the registry
diff --git a/.github/workflows/go_lib_pull_requests.yml b/.github/workflows/go_lib_pull_requests.yml
index 1009506..38c15f7 100644
--- a/.github/workflows/go_lib_pull_requests.yml
+++ b/.github/workflows/go_lib_pull_requests.yml
@@ -103,3 +103,10 @@ jobs:
         run:
           find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
           | xargs -n1 -I{} bash -c "pushd {}; go test --race -v ./..."
+      # Install govulncheck
+      - id: install-govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      # Run govulncheck for every Go module
+      - id: govulncheck
+        run: find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
+          | xargs -n1 -I{} bash -c "pushd {}; govulncheck ./..."

From a790f71bffac442b912ba087536f5f0a4fc18cfc Mon Sep 17 00:00:00 2001
From: Nick Otter <notter@kochava.com>
Date: Fri, 25 Oct 2024 16:26:16 -0600
Subject: [PATCH 2/3] ci: run vulnerability scan in its own task

---
 .github/workflows/go_app_pull_requests.yml | 28 ++++++++++++++++++++--
 .github/workflows/go_lib_pull_requests.yml | 26 ++++++++++++++++++++
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/go_app_pull_requests.yml b/.github/workflows/go_app_pull_requests.yml
index 6b49960..386531f 100644
--- a/.github/workflows/go_app_pull_requests.yml
+++ b/.github/workflows/go_app_pull_requests.yml
@@ -96,11 +96,36 @@ jobs:
       # Run unit test for evet Go module.
       - name: go test
         run: find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
-          | xargs -n1 -I{} bash -c "pushd {}; go test --race -v ./..."
+          | xargs -n1 -I{} bash -c "pushd {}; go test -coverprofile=coverage.txt --race -v ./..."
       - name: Upload test coverage results to Codecov
         uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
+  vulnerabilities:
+    #
+    # ensure go standards and tests pass
+    #
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # List of go versions to test on.
+        go: ['^1']
+    steps:
+      # Checkout go code to test.
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      # Setup Go for each version in the matrix.
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go }}
+      # Use auth to get access to private Git repos for Go code dependencies.
+      - name: Configure git for private modules
+        env:
+          TOKEN: ${{ secrets.GH_CI_PAT }}
+          GITHUB_USERNAME: ${{ inputs.GH_CI_USER }}
+        run: git config --global url."https://${GITHUB_USERNAME}:${TOKEN}@github.com".insteadOf
+          "https://github.com"
       # Install govulncheck
       - id: install-govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
@@ -108,7 +133,6 @@ jobs:
       - id: govulncheck
         run: find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
           | xargs -n1 -I{} bash -c "pushd {}; govulncheck ./..."
-          | xargs -n1 -I{} bash -c "pushd {}; go test -coverprofile=coverage.txt --race -v ./..."
   docker-build:
     #
     # ensures the docker image will build without pushing to the registry
diff --git a/.github/workflows/go_lib_pull_requests.yml b/.github/workflows/go_lib_pull_requests.yml
index 2ab1fa8..b23ffde 100644
--- a/.github/workflows/go_lib_pull_requests.yml
+++ b/.github/workflows/go_lib_pull_requests.yml
@@ -110,6 +110,32 @@ jobs:
         uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
+  vulnerabilities:
+    #
+    # ensure go standards and tests pass
+    #
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # List of go versions to test on.
+        go: ["^1"]
+    steps:
+      # Checkout go code to test.
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      # Setup Go for each version in the matrix.
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go }}
+      # Use auth to get access to private Git repos for Go code dependencies.
+      - name: Configure git for private modules
+        env:
+          TOKEN: ${{ secrets.GH_CI_PAT }}
+          GITHUB_USERNAME: ${{ inputs.GH_CI_USER }}
+        run:
+          git config --global url."https://${GITHUB_USERNAME}:${TOKEN}@github.com".insteadOf
+          "https://github.com"
       # Install govulncheck
       - id: install-govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

From 8771438c404ba63a2208724df2563b916fc21c88 Mon Sep 17 00:00:00 2001
From: Nick Otter <notter@kochava.com>
Date: Fri, 25 Oct 2024 16:26:58 -0600
Subject: [PATCH 3/3] ci: run vulnerability scan in its own task

---
 .github/workflows/go_lib_pull_requests.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/go_lib_pull_requests.yml b/.github/workflows/go_lib_pull_requests.yml
index b23ffde..2d39cce 100644
--- a/.github/workflows/go_lib_pull_requests.yml
+++ b/.github/workflows/go_lib_pull_requests.yml
@@ -105,7 +105,7 @@ jobs:
       - name: go test
         run:
           find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
-          | xargs -n1 -I{} bash -c "pushd {}; go test --race -v ./..."
+          | xargs -n1 -I{} bash -c "pushd {}; go test -coverprofile=coverage.txt --race -v ./..."
       - name: Upload test coverage results to Codecov
         uses: codecov/codecov-action@v4
         with:
@@ -143,5 +143,3 @@ jobs:
       - id: govulncheck
         run: find . -name vendor -prune -o -name go.mod -print | xargs -n1 dirname
           | xargs -n1 -I{} bash -c "pushd {}; govulncheck ./..."
-          | xargs -n1 -I{} bash -c "pushd {}; go test -coverprofile=coverage.txt --race -v ./..."
-