.github/workflows/govulncheck.yml

---
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Govulncheck
on:
  workflow_dispatch:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: read-all

jobs:
  govulncheck_job:
    runs-on: ubuntu-latest
    name: Scan for vulns
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            sum.golang.org:443
            vuln.go.dev:443

      - name: Install Go
        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ">= 1.22.1"
          cache: true

      - id: govulncheck
        uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2
        with:
          go-version-input: ">= 1.21"
          check-latest: true