ci: add govulncheck workflow

[kpitapeersyst]

ci: add govulncheck workflow

Motivation 💡

We had no automated check for known CVEs in our Go dependencies. Adding govulncheck to CI catches newly disclosed vulnerabilities on every PR, on push to main, and on a weekly schedule, so issues surface even when no code is changing.

Changes 🛠

• Added .github/workflows/govulncheck.yml running on push to main, pull_request, weekly cron (Mondays 09:00 UTC), and workflow_dispatch
• Scoped workflow permissions to contents: read (least privilege, no write access needed)
• Run govulncheck directly via actions/setup-go + go install instead of golang/govulncheck-action, which fails with a duplicate Authorization header on current runners
• Pinned actions/checkout and actions/setup-go to commit SHAs

Considerations 🤔

Workflow failing as expected. govulncheck reports vulnerabilities pulled in transitively through cosmos-sdk / cosmos-evm. Cannot be fixed here. Need upstream bump first to keep compatibility.

Summary by CodeRabbit

• Chores
  • Added a new automated CI workflow that runs vulnerability scanning on pushes to main, on pull requests, weekly (Mondays 09:00 UTC), and via manual dispatch. It uses read-only repository permissions and concurrency control to cancel older runs for the same branch.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow that runs govulncheck across all Go packages on pushes to main, pull requests, a weekly schedule, and manual dispatch; sets read-only repo permissions, concurrency controls, and installs Go 1.25 before running the scanner.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow ​.github/workflows/govulncheck.yml	Creates a workflow triggered on push (main), pull_request, weekly schedule (Mon 09:00 UTC), and workflow_dispatch. Job runs on ubuntu-latest, checks out code, sets up Go 1.25, installs golang.org/x/vuln/cmd/govulncheck@latest, and executes govulncheck ./.... Configures concurrency and restricts repo permissions to read-only.

Sequence Diagram(s)

sequenceDiagram
  actor Dev as Dev
  participant GH as GitHub Actions
  participant Runner as Ubuntu Runner
  participant Repo as Repository
  participant GoTool as Go toolchain
  participant Govuln as govulncheck

  Dev->>GH: push / open PR / schedule / manual
  GH->>Runner: start workflow (concurrency enforced)
  Runner->>Repo: actions/checkout
  Runner->>GoTool: setup-go (1.25)
  Runner->>Runner: go install golang.org/x/vuln/cmd/govulncheck@latest
  Runner->>Govuln: run "govulncheck ./..."
  Govuln-->>Runner: scan results
  Runner-->>GH: report status & logs

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through CI at break of day,
I sniffed each package, chased bugs away,
On pushes, PRs, and a weekly tune,
I guard the code beneath the moon —
A vigilant rabbit with a coding sway. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add govulncheck workflow' clearly summarizes the main change: adding a CI workflow for govulncheck vulnerability scanning.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description follows the repository template with all required sections properly completed, providing clear motivation, detailed changes, and relevant considerations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/add-govulncheck

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/govulncheck.yml (2)

6-7: pull_request.branches: ["**"] is redundant

Line 6–7 can be simplified; PR workflows already trigger for all target branches by default when branches is omitted.

Proposed simplification

   push:
     branches: [main]
   pull_request:
-    branches: ["**"]
   schedule:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/govulncheck.yml around lines 6 - 7, The
pull_request.branches: ["**"] entry is redundant; remove the branches key (and
its array) under the pull_request trigger in govulncheck.yml so the workflow
uses the default behavior of running on all target branches. Locate the
pull_request: block and delete the branches: ["**"] mapping (only that key and
value), leaving pull_request: by itself or removing the empty mapping entirely.

---

21-23: Add timeout-minutes to avoid hung vulnerability scans

Line 21 creates a job with no upper bound. A timeout improves CI reliability and runner utilization if the scan hangs.

Proposed fix

 jobs:
   govulncheck:
     runs-on: ubuntu-latest
     name: Run govulncheck
+    timeout-minutes: 15
     steps:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/govulncheck.yml around lines 21 - 23, The "Run
govulncheck" job currently has no timeout and can hang; add a timeout-minutes
key to the job block (the YAML section containing runs-on: ubuntu-latest and
name: Run govulncheck) to set an upper bound (e.g., timeout-minutes: 30) so the
workflow cancels long-running govulncheck scans and frees the runner.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/govulncheck.yml:
- Around line 19-23: Add an explicit permissions block to the govulncheck job to
enforce least privilege: inside the govulncheck job definition (symbol:
govulncheck) add a permissions mapping that grants only the minimal read scopes
required (e.g., contents: read, packages: read, security-events: write if needed
by govulncheck) so GITHUB_TOKEN no longer inherits repo/org defaults; ensure the
permissions block is at the same indentation level as runs-on and name.

---

Nitpick comments:
In @.github/workflows/govulncheck.yml:
- Around line 6-7: The pull_request.branches: ["**"] entry is redundant; remove
the branches key (and its array) under the pull_request trigger in
govulncheck.yml so the workflow uses the default behavior of running on all
target branches. Locate the pull_request: block and delete the branches: ["**"]
mapping (only that key and value), leaving pull_request: by itself or removing
the empty mapping entirely.
- Around line 21-23: The "Run govulncheck" job currently has no timeout and can
hang; add a timeout-minutes key to the job block (the YAML section containing
runs-on: ubuntu-latest and name: Run govulncheck) to set an upper bound (e.g.,
timeout-minutes: 30) so the workflow cancels long-running govulncheck scans and
frees the runner.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 275cfac3-9d2a-4109-bae8-157ecf098301

📥 Commits

Reviewing files that changed from the base of the PR and between 43c1c36 and c49695c.

📒 Files selected for processing (1)

• .github/workflows/govulncheck.yml