kata-containers/.github/workflows/govulncheck.yaml

on:
  workflow_call:

name: Govulncheck

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions: {}

jobs:
  govulncheck:
    name: govulncheck
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        include:
          - binary: "kata-runtime"
            make_target: "runtime"
          - binary: "containerd-shim-kata-v2"
            make_target: "containerd-shim-v2"
          - binary: "kata-monitor"
            make_target: "monitor"
      fail-fast: false

    steps:
      - name: Checkout the code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install yq
        run: |
          ./ci/install_yq.sh
        env:
          INSTALL_IN_GOPATH: false

      - name: Read properties from versions.yaml
        run: |
          go_version="$(yq '.languages.golang.version' versions.yaml)"
          [ -n "$go_version" ]
          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"

      - name: Setup Golang version ${{ env.GO_VERSION }}
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Install govulncheck
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          echo "${HOME}/go/bin" >> "${GITHUB_PATH}"

      - name: Build runtime binaries
        run: |
          cd src/runtime
          make "${MAKE_TARGET}"
        env:
          MAKE_TARGET: ${{ matrix.make_target }}
          SKIP_GO_VERSION_CHECK: "1"

      - name: Run govulncheck on ${{ matrix.binary }}
        env:
          BINARY: ${{ matrix.binary }}
        run: |
          cd src/runtime
          bash ../../tests/govulncheck-runner.sh "./${BINARY}"