git » gofer » commit 12018a6

github: Disable cache in govulncheck, always use latest version

author Alberto Bertogli
2023-10-16 09:17:24 UTC
committer Alberto Bertogli
2023-10-16 09:26:23 UTC
parent 098095e540baf6dae5b2331c5eab3688e611b21b
github: Disable cache in govulncheck, always use latest version

The govulncheck action is supposed to use the latest Go release, but often
it does not due to an older one being cached in the runner.

This causes false positives when there are security issues in the Go
distribution itself.

To help reduce those, disable the cache and specify that we want the
latest stable version. We need the latter to nudge the setup-go action to
actually fetch the latest one.
.github/workflows/govulncheck.yaml +6 -0 
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
index 4e3aeea..3d99728 100644
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -18,4 +18,10 @@ jobs:
       - id: govulncheck
         uses: golang/govulncheck-action@v1
         with:
+          # Use the latest available Go version, and disable the cache
+          # (because it often interferes with finding it).
+          # This helps reduce false positives when there are security issues
+          # in the Go distribution itself.
+          go-version-input: 'stable'
           check-latest: true
+          cache: false