diff --git a/.gitea/workflows/prepare-release.yml b/.gitea/workflows/prepare-release.yml index 113c42f..fff62a2 100644 --- a/.gitea/workflows/prepare-release.yml +++ b/.gitea/workflows/prepare-release.yml @@ -48,11 +48,24 @@ jobs: go mod tidy go mod verify + - name: Restore cached gosec binary + id: cache-gosec + uses: actions/cache@v4 + with: + path: ${{ runner.temp }}/gosec-bin + key: gosec-v2.22.4-${{ runner.os }}-${{ runner.arch }} + + - name: Install gosec binary + if: steps.cache-gosec.outputs.cache-hit != 'true' + run: | + set -euo pipefail + mkdir -p "${RUNNER_TEMP}/gosec-bin" + GOBIN="${RUNNER_TEMP}/gosec-bin" go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 + - name: Run gosec security analysis run: | set -euo pipefail - go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 - gosec ./... + "${RUNNER_TEMP}/gosec-bin/gosec" ./... - name: Run govulncheck uses: golang/govulncheck-action@v1.0.4 diff --git a/.gitea/workflows/push-validation.yml b/.gitea/workflows/push-validation.yml index 1f47217..f833d1b 100644 --- a/.gitea/workflows/push-validation.yml +++ b/.gitea/workflows/push-validation.yml @@ -44,11 +44,24 @@ jobs: go mod tidy go mod verify + - name: Restore cached gosec binary + id: cache-gosec + uses: actions/cache@v4 + with: + path: ${{ runner.temp }}/gosec-bin + key: gosec-v2.22.4-${{ runner.os }}-${{ runner.arch }} + + - name: Install gosec binary + if: steps.cache-gosec.outputs.cache-hit != 'true' + run: | + set -euo pipefail + mkdir -p "${RUNNER_TEMP}/gosec-bin" + GOBIN="${RUNNER_TEMP}/gosec-bin" go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 + - name: Run gosec security analysis run: | set -euo pipefail - go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 - gosec ./... + "${RUNNER_TEMP}/gosec-bin/gosec" ./... - name: Run govulncheck uses: golang/govulncheck-action@v1.0.4