Compare commits
4 Commits
f9c57f34d0
...
72abf37b2d
| Author | SHA1 | Date | |
|---|---|---|---|
|
72abf37b2d | ||
|
|
5bea62b8cf | ||
|
|
dd86944e64 | ||
|
|
38afdeffa0 |
@@ -48,17 +48,27 @@ jobs:
|
||||
go mod tidy
|
||||
go mod verify
|
||||
|
||||
- name: Run gosec security analysis
|
||||
uses: securego/gosec@v2.22.4
|
||||
env:
|
||||
GOTOOLCHAIN: auto
|
||||
- name: Restore cached gosec binary
|
||||
id: cache-gosec
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
args: ./...
|
||||
path: ${{ runner.temp }}/gosec-bin
|
||||
key: gosec-v2.22.4-${{ runner.os }}-${{ runner.arch }}
|
||||
|
||||
- name: Install gosec binary
|
||||
if: steps.cache-gosec.outputs.cache-hit != 'true'
|
||||
run: |
|
||||
set -euo pipefail
|
||||
mkdir -p "${RUNNER_TEMP}/gosec-bin"
|
||||
GOBIN="${RUNNER_TEMP}/gosec-bin" go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
|
||||
|
||||
- name: Run gosec security analysis
|
||||
run: |
|
||||
set -euo pipefail
|
||||
"${RUNNER_TEMP}/gosec-bin/gosec" ./...
|
||||
|
||||
- name: Run govulncheck
|
||||
uses: golang/govulncheck-action@v1.0.4
|
||||
env:
|
||||
GOTOOLCHAIN: auto
|
||||
with:
|
||||
go-package: ./...
|
||||
cache: true
|
||||
|
||||
@@ -44,10 +44,24 @@ jobs:
|
||||
go mod tidy
|
||||
go mod verify
|
||||
|
||||
- name: Run gosec security analysis
|
||||
uses: securego/gosec@v2.22.4
|
||||
- name: Restore cached gosec binary
|
||||
id: cache-gosec
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
args: ./...
|
||||
path: ${{ runner.temp }}/gosec-bin
|
||||
key: gosec-v2.22.4-${{ runner.os }}-${{ runner.arch }}
|
||||
|
||||
- name: Install gosec binary
|
||||
if: steps.cache-gosec.outputs.cache-hit != 'true'
|
||||
run: |
|
||||
set -euo pipefail
|
||||
mkdir -p "${RUNNER_TEMP}/gosec-bin"
|
||||
GOBIN="${RUNNER_TEMP}/gosec-bin" go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
|
||||
|
||||
- name: Run gosec security analysis
|
||||
run: |
|
||||
set -euo pipefail
|
||||
"${RUNNER_TEMP}/gosec-bin/gosec" ./...
|
||||
|
||||
- name: Run govulncheck
|
||||
uses: golang/govulncheck-action@v1.0.4
|
||||
|
||||
@@ -38,7 +38,8 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
|
||||
- Fixed `decorate-pr/action.yml` YAML validation by extracting PR comment rendering into `decorate-pr/build-comment.sh`, removing the duplicated changelog extraction step, and correcting the gate failure output reference.
|
||||
- Fixed docs-only detection in `decorate-pr` changelog gate: file list was iterated in a piped subshell so `docs_only` never propagated to the parent scope; replaced pipe with process substitution.
|
||||
- Pinned `securego/gosec` and `golang/govulncheck-action` to concrete version tags (`v2.22.4` and `v1.0.4`) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API.
|
||||
- Added `GOTOOLCHAIN: auto` environment variable to `gosec` and `govulncheck-action` steps in `push-validation` and `prepare-release` workflows to prevent Go toolchain version mismatches inside the act runner container.
|
||||
- Restored explicit gosec caching by storing a pinned `v2.22.4` binary under `${{ runner.temp }}/gosec-bin` with `actions/cache@v4`, so CI keeps fast security scans while still using the Go 1.26 toolchain from `setup-go`.
|
||||
- Replaced `securego/gosec` composite action with a direct `go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 && gosec ./...` run step so gosec uses the Go 1.26 toolchain installed by `setup-go` rather than the action's bundled Go 1.24 binary which ignores `GOTOOLCHAIN=auto`.
|
||||
|
||||
## [1.0.2] - 2026-03-21
|
||||
|
||||
|
||||
Reference in New Issue
Block a user