build: switch to toolchain-cicd/govulncheck-action

[rsoaresd]

Description

Currently, we only have our custom govulncheck-action enabled on wa, host-operator, member-operator, and registration-service. We need to enable it in the other repos (toolchain-e2e, toolchain-common, ...)

Why are we using our custom toolchain-cicd/govulncheck-action?

Unfortunately, govulncheck does not have a feature for ignoring the vulns. There is a feature request, but we do not know when it will be addressed. To avoid govulncheck failing in PRs, we implemented a workaround on toolchain-cicd to ignore vulnerabilities that do not have a fix available or require a higher Go version than we have.

Related PRs

codeready-toolchain/toolchain-e2e#1190
codeready-toolchain/toolchain-common#490
kubesaw/ksctl#122

Issue ticket number and link

SANDBOX-1401

Summary by CodeRabbit

• Chores
  • Migrated Go vulnerability scanning in CI to a new action with simplified configuration; Go version now read from go.mod, caching disabled, and an explicit config file enabled for consistent results and clearer auditing.
  • Added scanner configuration that temporarily suppresses a known Go advisory until 2025-10-02 to reduce noise while upstream fixes stabilize.
  • No user-facing application changes.

[coderabbitai]

Walkthrough

Updates the GitHub Actions workflow to use codeready-toolchain/toolchain-cicd/govulncheck-action@master with new inputs referencing go.mod and a .govulncheck.yaml config, and disables caching. Adds a govulncheck configuration file that ignores vulnerability GO-2025-3750 until 2025-10-02 with reference info.

Changes

Cohort / File(s)	Summary
CI workflow: govulncheck action swap .github/workflows/govulncheck.yml	Replaced previous govulncheck action with codeready-toolchain/toolchain-cicd/govulncheck-action@master; removed old inputs; added go-version-file: go.mod, cache: false, and config: .govulncheck.yaml.
Security scanning config .govulncheck.yaml	Added ignored-vulnerabilities entry for GO-2025-3750 with silence-until 2025-10-02 and reference link; includes context comments.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant GV as govulncheck Action
  participant Repo as Repo (go.mod, .govulncheck.yaml)

  Dev->>GH: Push / PR
  GH->>GV: Run govulncheck job
  GV->>Repo: Read go.mod (Go version)
  GV->>Repo: Load .govulncheck.yaml (config, ignores)
  GV->>GV: Execute scan (cache disabled)
  alt Vulnerabilities found (not ignored)
    GV-->>GH: Report failures
  else Only ignored findings
    GV-->>GH: Report success
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hop through pipelines, ears held high,
New checks nibble code as commits fly.
A hush for GO-2025-3750, just for a moon,
While configs bloom under autumn’s tune.
With steady paws, I guard the stack—
Scan, report, and bound right back. 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/govulncheck.yml (1)

14-20: Also pin first-party actions to SHAs

actions/checkout and actions/setup-go should be SHA-pinned for the same reason.

-      uses: actions/checkout@v5
+      uses: actions/checkout@<commit-sha>
…
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@<commit-sha>

🧹 Nitpick comments (5)

.govulncheck.yaml (2)

1-7: Add a trailing newline to satisfy linters

File lacks a newline at EOF.

-    info: https://pkg.go.dev/vuln/GO-2025-3750
+    info: https://pkg.go.dev/vuln/GO-2025-3750
+

---

1-7: Track removal of the ignore before 2025-10-02

Open a follow-up issue (or add a TODO with an issue link) to remove this ignore once Go is upgraded or the fix is adopted.

.github/workflows/govulncheck.yml (3)

12-20: Set least-privilege workflow permissions

Make permissions explicit.

 jobs:
   govulncheck:
     name: govulncheck
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read

---

16-20: Speed up by caching modules via setup-go

Keep the action’s cache disabled if desired, but enable module cache on setup-go.

       uses: actions/setup-go@<commit-sha>
       with:
         go-version-file: go.mod
+        cache: true

---

22-26: Add a trailing newline to satisfy linters

File lacks a newline at EOF.

-        config: .govulncheck.yaml
+        config: .govulncheck.yaml
+

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bca0417 and 87705b3.

📒 Files selected for processing (2)

• .github/workflows/govulncheck.yml (1 hunks)
• .govulncheck.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/govulncheck.yml

[error] 26-26: no new line character at the end of file

(new-line-at-end-of-file)

.govulncheck.yaml

[error] 7-7: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🔇 Additional comments (1)

.govulncheck.yaml (1)

1-7: Time-bounded ignore with clear context looks good

The ignore is scoped, documented, and expires on 2025-10-02. 👍

[coderabbitai]

🛠️ Refactor suggestion

Pin the custom action to a commit SHA (avoid @master)

Reduce supply-chain risk by pinning to a specific commit.

-      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
+      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
	with:
	go-version-input: ${{ steps.install-go.outputs.go-version }}
	go-package: ./...
	repo-checkout: false
	\ No newline at end of file
	go-version-file: go.mod
	cache: false
	config: .govulncheck.yaml
	uses: codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>
	with:
	go-version-file: go.mod
	cache: false
	config: .govulncheck.yaml

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 26-26: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

.github/workflows/govulncheck.yml lines 22-26: the workflow pins the govulncheck
action to @master which is unstable; change the uses entry to reference a
specific commit SHA (e.g.
codeready-toolchain/toolchain-cicd/govulncheck-action@<commit-sha>) instead of
@master, update any related docs/lockfile if needed, and commit the updated
workflow so CI uses the immutable action version.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Confirm config schema compatibility

Double-check the action’s config schema supports:

• top-level key: ignored-vulnerabilities
• fields: id, silence-until (date), and optional info

If names differ (e.g., ignores), the action may silently ignore entries.

---

🌐 Web query:

What is the supported configuration schema for codeready-toolchain/toolchain-cicd/govulncheck-action? Does it accept an `ignored-vulnerabilities` list with `id`, `silence-until`, and `info` fields?

💡 Result:

Short answer: The upstream golang govulncheck-action does NOT support an ignored-vulnerabilities list or per‑vulnerability silence fields. Its README explicitly says there's no support for silencing findings. [1]

If you need that behavior, there are third‑party/custom govulncheck action forks that implement a .govulncheck(.x).yaml with an ignored-vulnerabilities list (examples show entries with id plus a silence_until / silence-until date and info link). These are not part of the official golang action. [2][3]

Sources:

• Official govulncheck-action README (no support for silencing findings). [1]
• Example custom action (govulncheckx / docs showing ignored-vulnerabilities + silence-until + info). [2][3]

References:
[1] golang/govulncheck-action README.
[2] xcoulon/govulncheckx-action docs (ignored-vulnerabilities example).
[3] libraries.io summary of xcoulon/govulncheckx-action.

---

Incompatible config: govulncheck-action doesn’t support ignored-vulnerabilities
The official golang govulncheck-action ignores any ignored-vulnerabilities list (and fields like silence-until or info) in .govulncheck.yaml; silencing entries isn’t supported. Either remove this section or switch to a fork (e.g. xcoulon/govulncheckx-action) that implements per-vulnerability silencing.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 7-7: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In .govulncheck.yaml around lines 1 to 7 you have an ignored-vulnerabilities
block which govulncheck-action does not support (including fields like
silence-until and info); either remove the entire ignored-vulnerabilities
section from this file, or keep it only if you switch your GitHub Action to a
fork that supports per-vulnerability silencing (for example update your workflow
to use xcoulon/govulncheckx-action) and ensure the config format matches that
fork’s expectations (remove or adjust unsupported fields if you choose to keep
the file for another tool).