From 5790ae0e0f515cf36d36598931caac511f99ac12 Mon Sep 17 00:00:00 2001
From: Faye Amacker <33205765+fxamacker@users.noreply.github.com>
Date: Sat, 4 Mar 2023 17:36:19 -0600
Subject: [PATCH 1/5] Create govulncheck.yml

Add a GitHub Actions workflow to run govulncheck.
According to govulncheck docs:

    "Govulncheck reports known vulnerabilities that affect Go code.
    It uses static analysis of source code or a binary's symbol table
    to narrow down reports to only those that could affect the application.

    By default, govulncheck makes requests to the Go vulnerability database
    at https://vuln.go.dev. Requests to the vulnerability database contain only
    module paths, not code or other properties of your program."
---
 .github/workflows/govulncheck.yml | 51 +++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 .github/workflows/govulncheck.yml

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
new file mode 100644
index 00000000..3dd71cc3
--- /dev/null
+++ b/.github/workflows/govulncheck.yml
@@ -0,0 +1,51 @@
+# GitHub Actions workflow for govulncheck.
+# This file is licensed under MIT License.
+# https://github.com/fxamacker/cbor
+
+name: govulncheck
+
+# Revoke default permissions and grant what's needed in each job.
+permissions: {}
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run at least once daily because vulnerability database might be updated.
+    - cron: '30 15 * * *'
+  pull_request:
+    paths:
+      - '**.go'
+      - '**.mod'
+  push:
+    paths:
+      - '**.go'
+      - '**.mod'
+    branches:
+      - 'main'
+      - 'master'
+      - 'release*'
+      - 'feature/stream-mode'
+    tags:
+      - 'v*'
+
+jobs:
+  vulncheck:
+    runs-on: ubuntu-latest
+    permissions:
+      # Grant permission to read content.
+      contents: read
+    steps:
+    - name: Checkout source
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 1
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.20.x
+        check-latest: true
+    - name: Install latest from golang.org
+      run: go install golang.org/x/vuln/cmd/govulncheck@latest
+    - name: Run govulncheck
+      # Use -v flag to print a full call stack for each vulnerability found.
+      run: govulncheck -v ./...

From ffa80e2a1433504c5ada75fb72ebd44f5058d59c Mon Sep 17 00:00:00 2001
From: Faye Amacker <33205765+fxamacker@users.noreply.github.com>
Date: Sat, 4 Mar 2023 17:44:44 -0600
Subject: [PATCH 2/5] Update govulncheck.yml

Fix typo by removing a "-".
---
 .github/workflows/govulncheck.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 3dd71cc3..93c5535f 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -36,7 +36,7 @@ jobs:
       contents: read
     steps:
     - name: Checkout source
-    - uses: actions/checkout@v3
+      uses: actions/checkout@v3
       with:
         fetch-depth: 1
     - name: Set up Go

From e0936c06c50dc4369281e3bd01452fc1270b3c0f Mon Sep 17 00:00:00 2001
From: Faye Amacker <33205765+fxamacker@users.noreply.github.com>
Date: Sat, 4 Mar 2023 18:09:37 -0600
Subject: [PATCH 3/5] Update govulncheck.yml

Temporarily add '**.yml' to trigger workflow.
---
 .github/workflows/govulncheck.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 93c5535f..c4ab1e7e 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -16,10 +16,12 @@ on:
     paths:
       - '**.go'
       - '**.mod'
+      - '**.yml'
   push:
     paths:
       - '**.go'
       - '**.mod'
+      - '**.yml'
     branches:
       - 'main'
       - 'master'

From 3afff60b46e18bfddbf7af265dd5918489892309 Mon Sep 17 00:00:00 2001
From: Faye Amacker <33205765+fxamacker@users.noreply.github.com>
Date: Sat, 4 Mar 2023 18:15:46 -0600
Subject: [PATCH 4/5] Update govulncheck.yml

---
 .github/workflows/govulncheck.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index c4ab1e7e..93c5535f 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -16,12 +16,10 @@ on:
     paths:
       - '**.go'
       - '**.mod'
-      - '**.yml'
   push:
     paths:
       - '**.go'
       - '**.mod'
-      - '**.yml'
     branches:
       - 'main'
       - 'master'

From 8329ecad975855c19f076aa3f0627631bf80b527 Mon Sep 17 00:00:00 2001
From: Faye Amacker <33205765+fxamacker@users.noreply.github.com>
Date: Sat, 4 Mar 2023 18:40:12 -0600
Subject: [PATCH 5/5] Update govulncheck.yml

---
 .github/workflows/govulncheck.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 93c5535f..25ebcb8b 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -14,12 +14,12 @@ on:
     - cron: '30 15 * * *'
   pull_request:
     paths:
-      - '**.go'
-      - '**.mod'
+      - '**'
+      - '!**.md'
   push:
     paths:
-      - '**.go'
-      - '**.mod'
+      - '**'
+      - '!**.md'
     branches:
       - 'main'
       - 'master'
@@ -29,7 +29,7 @@ on:
       - 'v*'
 
 jobs:
-  vulncheck:
+  Check:
     runs-on: ubuntu-latest
     permissions:
       # Grant permission to read content.