From dd1d802605991d793b88269fba4f08404e269a8c Mon Sep 17 00:00:00 2001 From: Micheal Wilkinson Date: Sat, 21 Mar 2026 20:15:08 +0000 Subject: [PATCH] ci: replace gosec action with direct invocation, pin govulncheck to v1.0.4 Per security scanning requirements in project instructions: - Replace securego/gosec@v2.22.3 action with go install + gosec run step in both push-validation and pr-validation to avoid compatibility issues with Go 1.26.1 - Pin golang/govulncheck-action from @v1 to @v1.0.4 in both workflows; major-version tags do not resolve reliably in Gitea API - Move GOTOOLCHAIN=auto from per-step env to job-level env in both workflows - Bump coverage-badge in push-validation from v1.0.1 to v1.1.0 --- .gitea/workflows/pr-validation.yml | 14 ++++++-------- .gitea/workflows/push-validation.yml | 16 +++++++--------- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/.gitea/workflows/pr-validation.yml b/.gitea/workflows/pr-validation.yml index e8396be..613a157 100644 --- a/.gitea/workflows/pr-validation.yml +++ b/.gitea/workflows/pr-validation.yml @@ -22,6 +22,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }} AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }} AWS_EC2_METADATA_DISABLED: true + GOTOOLCHAIN: auto SUMMARY_FILE: ${{ runner.temp }}/summary.md steps: - name: Checkout @@ -136,16 +137,13 @@ jobs: fi - name: Run Gosec Security Scanner - uses: securego/gosec@v2.22.3 - env: - GOTOOLCHAIN: auto - with: - args: './...' + run: | + set -euo pipefail + go install github.com/securego/gosec/v2/cmd/gosec@latest + gosec ./... - name: Run Go Vulnerability Check - uses: golang/govulncheck-action@v1 - env: - GOTOOLCHAIN: auto + uses: golang/govulncheck-action@v1.0.4 - name: Upload coverage badge id: badge diff --git a/.gitea/workflows/push-validation.yml b/.gitea/workflows/push-validation.yml index bcfac07..33a322f 100644 --- a/.gitea/workflows/push-validation.yml +++ b/.gitea/workflows/push-validation.yml @@ -22,6 +22,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }} AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }} AWS_EC2_METADATA_DISABLED: true + GOTOOLCHAIN: auto SUMMARY_FILE: ${{ runner.temp }}/summary.md steps: - name: Checkout @@ -64,16 +65,13 @@ jobs: fi - name: Run Gosec Security Scanner - uses: securego/gosec@v2.22.3 - env: - GOTOOLCHAIN: auto - with: - args: './...' + run: | + set -euo pipefail + go install github.com/securego/gosec/v2/cmd/gosec@latest + gosec ./... - name: Run Go Vulnerability Check - uses: golang/govulncheck-action@v1 - env: - GOTOOLCHAIN: auto + uses: golang/govulncheck-action@v1.0.4 - name: Install AWS CLI v2 uses: ankurk91/install-aws-cli-action@v1 @@ -158,7 +156,7 @@ jobs: - name: Publish coverage artefacts id: coverage-badge - uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.0.1 + uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0 with: coverage-profile: coverage.out coverage-html: coverage.html