kata-containers/.github/workflows/govulncheck.yaml

on:
  workflow_call:

name: Govulncheck

permissions:
  contents: read

jobs:
  govulncheck:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        include:
          - binary: "kata-runtime"
            make_target: "runtime"
          - binary: "containerd-shim-kata-v2" 
            make_target: "containerd-shim-v2"
          - binary: "kata-monitor"
            make_target: "monitor"
      fail-fast: false
    
    steps:
      - name: Checkout the code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install golang
        run: |
          ./tests/install_go.sh -f -p
          echo "/usr/local/go/bin" >> "${GITHUB_PATH}"

      - name: Install govulncheck
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          echo "${HOME}/go/bin" >> "${GITHUB_PATH}"

      - name: Build runtime binaries
        run: |
          cd src/runtime
          make ${{ matrix.make_target }}
        env:
          SKIP_GO_VERSION_CHECK: "1"

      - name: Run govulncheck on ${{ matrix.binary }}
        run: |
          cd src/runtime
          bash ../../tests/govulncheck-runner.sh "./${{ matrix.binary }}"