govulncheck: run from a container

[xcoulon]

see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159

also, update ignored vulnerabilities (remove obsolete and unneeded 🤷‍♂️)

Signed-off-by: Xavier Coulon xcoulon@redhat.com

Summary by CodeRabbit

Release Notes

• Chores
  • Updated GitHub Actions workflow configuration with enhanced debugging capabilities
  • Refreshed vulnerability tracking configuration with updated maintenance timelines

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request updates the govulncheck GitHub Actions workflow configuration and extends the silence-until dates for managed vulnerabilities. The workflow configuration enables debug mode and simplifies version/cache settings, while the vulnerability ignore list reorders entries and shifts expiration dates forward by approximately one month.

Changes

Cohort / File(s)	Summary
Govulncheck Configuration \.github/workflows/govulncheck\.yml	Removed go-version-file, cache, and config input lines; added explicit config: .govulncheck.yaml and debug: true to enable debug mode and specify configuration file location.
Vulnerability Ignore List \.govulncheck\.yaml	Reordered ignored vulnerability entries (asn1 GO-2025-4011, net/url GO-2025-4010, encoding/pem GO-2025-4009, crypto/x509 GO-2025-4007); updated silence-until dates from 2025-12-03 to 2026-01-10 across multiple entries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Both files contain straightforward configuration changes with no functional logic alterations
• Changes are primarily date updates and workflow input reordering
• No code logic, dependencies, or control flow modifications to evaluate

Possibly related PRs

• build: switch to toolchain-cicd/govulncheck-action #483 — Concurrently modifies govulncheck GitHub Action inputs (go-version-file/cache/config) and updates vulnerability ignore list entries, representing a related maintenance effort.

Suggested reviewers

• MatousJobanek

Poem

🐰 Vulnerability dates hop forward with care,
From December to January in the air,
Debug mode enabled, configs refined,
Silences extended, peace of mind!
✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete. It lacks the structured template sections required by the repository, including the 'Checks' section with make generate, CRD, and cross-project PR link questions.	Fill in the required template sections including 'Checks' with answers to make generate, CRD updates, and any cross-project PR links (host-operator, member-operator).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title describes running govulncheck from a container, which aligns with the main objectives to implement container-based execution and update vulnerability configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch govulncheck_dockerfile_api

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b7a2d11 and 740ea5a.

📒 Files selected for processing (2)

• .github/workflows/govulncheck.yml (1 hunks)
• .govulncheck.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🔇 Additional comments (1)

.govulncheck.yaml (1)

2-26: Address trailing whitespace and clarify vulnerability silencing strategy.

Line 26 contains trailing whitespace that should be removed. More importantly, the silencing dates warrant clarification:

• GO-2025-4010 (net/url) is silenced until 2026-01-03
• GO-2025-4007, GO-2025-4009, GO-2025-4011 are silenced until 2026-01-10 (one week later)

The inconsistent dates suggest these may have been set at different times or based on different upgrade timelines. Additionally, the PR description mentions "removes entries described as obsolete and unneeded," but the provided code shows reordering with date extensions rather than removals. Please clarify:

1. Were any vulnerability entries actually removed (not shown in this diff)?
2. Are these silence-until dates based on planned Go version upgrades, or are they preventative?
3. Should GO-2025-4010 be aligned with the others at 2026-01-10 for consistency?

Apply this diff to remove trailing whitespace:

  - id: GO-2025-4011
    info: https://pkg.go.dev/vuln/GO-2025-4011
    silence-until: 2026-01-10
-  

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

codeready-toolchain/toolchain-cicd govulncheck-action action.yml parameters

💡 Result:

Here are the inputs (parameters) defined for the govulncheck GitHub Action (action.yml) and their defaults/meanings:

• go-version-input: Version of Go to use for govulncheck (optional). [1][2]
• check-latest: Whether to always check for the latest Go version satisfying the spec (optional, default: false). [1][2]
• cache: Whether to enable Go caching (optional, default: true). [1][2]
• cache-dependency-path: Path to dependency file used for cache (optional, default: '') (useful for monorepos). [2]
• go-package (aka go-package / go-package): Package pattern to scan (optional, default: './...'). [1][2]
• work-dir (work-dir / work-dir): Directory in which to run govulncheck (optional, default: '.'). [1][2]
• repo-checkout: Whether to checkout the repository before running (optional, default: true). [1][2]
• go-version-file: Path to go.mod or go.work file used to determine Go version (optional, default: ''). [1][2]
• output-format: govulncheck output format ('text', 'json', 'sarif') (optional, default: 'text'). [2]
• output-file: File to which govulncheck output is redirected (optional, default: ''). [2]
• (other variants / forks) go-version / vulncheck-version / package / working-directory / github-token / fail-on-vuln / skip-upload — used by some community forks (defaults vary by fork). [3][5]

Sources:
[1] govulncheck-action action.yml (Go mirror).
[2] golang/govulncheck-action README (GitHub mirror).
[3] Templum/govulncheck-action README (community fork showing alternative input names).

---

🏁 Script executed:

# Fetch the action.yml file from the govulncheck-action repository
curl -s https://raw.githubusercontent.com/codeready-toolchain/toolchain-cicd/master/govulncheck-action/action.yml

Repository: codeready-toolchain/api

Length of output: 81

---

🏁 Script executed:

# Also check if README exists with parameter documentation
curl -s https://raw.githubusercontent.com/codeready-toolchain/toolchain-cicd/master/govulncheck-action/README.md | head -100

Repository: codeready-toolchain/api

Length of output: 1722

---

Remove the debug parameter and trailing whitespace on line 19.

The debug: true parameter is not documented in the codeready-toolchain/toolchain-cicd govulncheck-action and should be removed, as it appears to be an unsupported input. Line 19 also has a trailing space after .govulncheck.yaml that should be cleaned up. The config parameter is valid and correctly supported by this custom action.

🤖 Prompt for AI Agents

.github/workflows/govulncheck.yml around lines 19-20: remove the unsupported
"debug: true" input and trim the trailing whitespace after ".govulncheck.yaml"
on the config line; leave the valid "config: .govulncheck.yaml" entry but ensure
there is no trailing space and delete the entire "debug: true" line so only
supported inputs remain.