git » summer » commit fc370fe

github: Disable cache in govulncheck, always use latest version

author Alberto Bertogli
2023-11-17 09:49:44 UTC
committer Alberto Bertogli
2023-11-17 09:49:44 UTC
parent 395325aeacf1df11d9fb7bf55212ec0e0491484f
github: Disable cache in govulncheck, always use latest version

The govulncheck action is supposed to use the latest Go release, but often
it does not due to an older one being cached in the runner.

This causes false positives when there are security issues in the Go
distribution itself.

To help reduce those, disable the cache and specify that we want the
latest stable version. We need the latter to nudge the setup-go action to
actually fetch the latest one.
.github/workflows/govulncheck.yaml +6 -0 
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
index 3e92978..39b7260 100644
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -18,4 +18,10 @@ jobs:
       - id: govulncheck
         uses: golang/govulncheck-action@v1
         with:
+          # Use the latest available Go version, and disable the cache
+          # (because it often interferes with finding it).
+          # This helps reduce false positives when there are security issues
+          # in the Go distribution itself.
+          go-version-input: 'stable'
           check-latest: true
+          cache: false