tailscale/.github/workflows/govulncheck.yml

name: govulncheck

on:
  schedule:
    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
  workflow_dispatch: # allow manual trigger for testing
  pull_request:
    paths:
      - ".github/workflows/govulncheck.yml"

jobs:
  source-scan:
    runs-on: ubuntu-latest

    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install govulncheck
        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest

      - name: Scan source code for known vulnerabilities
        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...

      - name: Post to slack
        if: failure() && github.event_name == 'schedule'
        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
        with:
          method: chat.postMessage
          token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
          payload: |
            {
              "channel": "C05PXRM304B",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "Govulncheck failed in ${{ github.repository }}"
                  },
                  "accessory": {
                    "type": "button",
                    "text": {
                      "type": "plain_text",
                      "text": "View results"
                    },
                    "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
                  }
                }
              ]
            }