chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 #247
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2026 CloudBlue LLC | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Security | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - 'release/**' | |
| pull_request: | |
| schedule: | |
| # Run weekly on Monday at 00:00 UTC | |
| - cron: '0 0 * * 1' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event_name == 'schedule' && github.run_id || github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: ${{ github.event_name != 'schedule' }} | |
| permissions: | |
| contents: read | |
| env: | |
| GOVULNCHECK_VERSION: 'v1.1.4' | |
| GOSEC_VERSION: 'v2.23.0' | |
| jobs: | |
| changes: | |
| name: Detect changes | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| outputs: | |
| code: ${{ steps.check.outputs.code }} | |
| steps: | |
| - name: Checkout action | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: .github/actions | |
| sparse-checkout-cone-mode: false | |
| - name: Detect code changes | |
| id: check | |
| uses: ./.github/actions/detect-code-changes | |
| govulncheck: | |
| name: Vulnerability Check | |
| needs: [changes] | |
| if: needs.changes.outputs.code == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: | | |
| go.sum | |
| sdk/go.sum | |
| plugins/contrib/go.sum | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@${{ env.GOVULNCHECK_VERSION }} | |
| - name: Run govulncheck (root module) | |
| run: govulncheck ./... | |
| - name: Run govulncheck (SDK module) | |
| run: cd sdk && govulncheck ./... | |
| - name: Run govulncheck (Contrib module) | |
| run: cd plugins/contrib && govulncheck ./... | |
| gosec: | |
| name: Security Scan (gosec) | |
| needs: [changes] | |
| if: needs.changes.outputs.code == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: | | |
| go.sum | |
| sdk/go.sum | |
| plugins/contrib/go.sum | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@${{ env.GOSEC_VERSION }} | |
| - name: Run gosec (root module) | |
| # G706 (Log injection): All logging uses slog structured logging where | |
| # values are written as separate JSON key-value pairs, never interpolated | |
| # into message strings. Log injection is not possible. | |
| # Safety net: the "no-raw-logging" step below enforces that all | |
| # production code uses slog, not fmt.Print*/log.Print*. | |
| run: gosec -exclude=G706 -exclude-dir=sdk -exclude-dir=plugins ./... | |
| - name: Run gosec (SDK module) | |
| run: cd sdk && gosec ./... | |
| - name: Run gosec (Contrib module) | |
| run: cd plugins/contrib && gosec ./... | |
| # TODO: Enable when repo is public (requires GitHub Advanced Security) | |
| # dependency-review: | |
| # name: Dependency Review | |
| # runs-on: ubuntu-latest | |
| # if: github.event_name == 'pull_request' | |
| # steps: | |
| # - name: Checkout code | |
| # uses: actions/checkout@v4 | |
| # - name: Dependency Review | |
| # uses: actions/dependency-review-action@v4 | |
| # with: | |
| # fail-on-severity: high |