Skip to content

[backport v1.7] ci: Workflow hardening: add govulncheck and zizmor static analysis workflows (#4302)#4328

Open
jpayne3506 wants to merge 1 commit intorelease/v1.7from
jpayne3506/1.7-4302
Open

[backport v1.7] ci: Workflow hardening: add govulncheck and zizmor static analysis workflows (#4302)#4328
jpayne3506 wants to merge 1 commit intorelease/v1.7from
jpayne3506/1.7-4302

Conversation

@jpayne3506
Copy link
Copy Markdown
Contributor

@jpayne3506 jpayne3506 commented Apr 8, 2026
edited
Loading

Reason for Change:

Backports valuable github workflows

Issue Fixed:

Requirements:

Notes:

@jpayne3506 jpayne3506 self-assigned this Apr 8, 2026
@jpayne3506 jpayne3506 added the ci Infra or tooling. label Apr 8, 2026
@jpayne3506 jpayne3506 requested a review from a team as a code owner April 8, 2026 19:31
Copilot AI review requested due to automatic review settings April 8, 2026 19:31
@jpayne3506 jpayne3506 changed the base branch from master to release/v1.7 April 8, 2026 19:31
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 8, 2026
View reviewed changes
Comment thread .github/workflows/govulncheck.yaml Dismissed
Comment thread .github/workflows/govulncheck.yaml Dismissed
@jpayne3506
Copy link
Copy Markdown
Contributor Author

jpayne3506 commented Apr 8, 2026

/azp run Azure Container Networking PR

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 8, 2026

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR backports and adds hardened GitHub Actions workflows to strengthen CI security and supply-chain posture by introducing static analysis for workflow files and vulnerability scanning for Go modules across the repository’s multi-module workspace.

Changes:

  • Add a zizmor workflow to statically analyze GitHub Actions workflows and upload findings to code scanning.
  • Add a govulncheck workflow that runs govulncheck across a module matrix, plus a guard job to ensure all go.mod files are covered.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/zizmor.yaml New workflow to run zizmor GitHub Actions static analysis with code scanning upload permissions.
.github/workflows/govulncheck.yaml New workflow to run govulncheck across all Go modules in a matrix, including a coverage check for go.mod discovery.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/govulncheck.yaml
Comment thread .github/workflows/govulncheck.yaml
@jpayne3506 jpayne3506 changed the title ci: Workflow hardening: add govulncheck and zizmor static analysis wo… [backport v1.7] ci: Workflow hardening: add govulncheck and zizmor static analysis workflows (#4302) Apr 8, 2026
@jpayne3506 jpayne3506 added the release/1.7 Change affects v1.7 release train label Apr 8, 2026
@rbtr
Copy link
Copy Markdown
Collaborator

rbtr commented Apr 9, 2026

/azp run Azure Container Networking PR

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 9, 2026

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

@jpayne3506 jpayne3506 enabled auto-merge April 13, 2026 19:21
@jpayne3506
ci: Workflow hardening: add govulncheck and zizmor static analysis wo…
8488747 
…rkflows (#4302)

* Initial plan

* add govulncheck and zizmor workflow files with SHA-pinned actions

Agent-Logs-Url: https://github.com/Azure/azure-container-networking/sessions/fa67252f-bb36-48c3-bd99-0aabf2f99b12

Co-authored-by: jpayne3506 <89417863+jpayne3506@users.noreply.github.com>

* govulncheck: add matrix for all go.mod files and coverage guard job

Agent-Logs-Url: https://github.com/Azure/azure-container-networking/sessions/298ba314-3726-40bc-adab-1c3ffcf85a98

Co-authored-by: jpayne3506 <89417863+jpayne3506@users.noreply.github.com>

* fix: repo-checkout: false

* ci: include bpf files

* fix: match go version

* fix: reorder bpf generation

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jpayne3506 <89417863+jpayne3506@users.noreply.github.com>
Co-authored-by: jpayne3506 <payne.3506@gmail.com>
@jpayne3506 jpayne3506 force-pushed the jpayne3506/1.7-4302 branch from ec5a759 to 8488747 Compare April 14, 2026 16:15
@jpayne3506
Copy link
Copy Markdown
Contributor Author

jpayne3506 commented Apr 14, 2026

/azp run Azure Container Networking PR

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 14, 2026

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

@jpayne3506 jpayne3506 added this pull request to the merge queue Apr 14, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rbtr rbtr rbtr approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jpayne3506 jpayne3506

Labels

ci Infra or tooling. release/1.7 Change affects v1.7 release train

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jpayne3506 @rbtr @github-advanced-security