ci: add Go vulnerability checker per PR and to Makefile#9873
ci: add Go vulnerability checker per PR and to Makefile#9873odeke-em wants to merge 1 commit intotendermint:mainfrom orijtech:Makefile-add-govulncheck
Conversation
Adds the ability to run the Go vulnerability checker to be run on all tests in continuous integration. This helps us flag vulnerable code proactively and massively increase supply chain security. Fixes #9872
| - name: "Go vulnerability check" | ||
| run: make vulncheck |
There was a problem hiding this comment.
Is there any particular reason why the vulnerability check is part of the build workflow?
I'd prefer it if it were its own standalone workflow, so we can clearly distinguish between build failures and vulnerability-related failures in CI.
There was a problem hiding this comment.
You def don't want builds to succeed with vulnerabilities. However if you want the override, just caution that many passes can be made optional and if builds succeed, people can ignore them. Help me with a confirmation that you'd prefer it as a different pass.
There was a problem hiding this comment.
We'd just add the vulnerability check workflow as a required workflow, like our other required workflows.
Not sure why the Build workflow isn't required at the moment 😄 I'll fix that.
There was a problem hiding this comment.
Not sure why the Build workflow isn't required at the moment
Ah, because the v0.34 branch doesn't have a separate "Build" workflow (it's part of the "Tests" workflow there).
Another reason to add this vulnerability check as a distinct workflow, because then it can be automatically backported with minimal effort to the release branches.
Adds the ability to run the Go vulnerability checker to be run on all tests in continuous integration. This helps us flag vulnerable code proactively and massively increase supply chain security.
Fixes #9872