Skip to content
Security

chore: update flake inputs and fix new gosec findings #17

Sign in to view logs

chore: update flake inputs and fix new gosec findings

chore: update flake inputs and fix new gosec findings #17

Workflow file for this run

.github/workflows/security.yml at 48fdb5d
# Copyright 2026 Phillip Cloud
# Licensed under the Apache License, Version 2.0
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
govulncheck:
name: Vulnerability Check
runs-on: ubuntu-latest
concurrency:
group: security-govulncheck-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
- name: Run govulncheck
run: nix run '.#govulncheck'
osv-scanner:
name: OSV Scan
runs-on: ubuntu-latest
concurrency:
group: security-osv-scanner-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
- name: Run osv-scanner
run: nix run '.#osv-scanner'
secrets:
name: Secret Scan
runs-on: ubuntu-latest
concurrency:
group: security-secrets-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
persist-credentials: false
- uses: trufflesecurity/trufflehog@7635b24fd512a2e817dd3e9dd661caaf035a079d # v3.93.1
with:
extra_args: --only-verified
codeql:
name: CodeQL (Go)
runs-on: ubuntu-latest
concurrency:
group: security-codeql-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
security-events: write
env:
CGO_ENABLED: "0"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
with:
go-version: "1.25"
- name: Initialize CodeQL
uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
with:
languages: go
build-mode: manual
- name: Build
run: go build ./...
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3