fix: vuln CI job (#24079)

2025-03-20 14:02:37 -04:00 · 2025-03-20 14:02:37 -04:00 · 7b930541cf
commit 7b930541cf
parent b6163a2d86
1 changed files with 17 additions and 24 deletions
--- a/.github/workflows/dependencies-review.yml
+++ b/.github/workflows/dependencies-review.yml
@ -5,7 +5,6 @@ on:

 permissions:
  contents: read
-  pull-requests: write  # Allow commenting on PRs

 jobs:
  dependency-review:
@ -13,7 +12,8 @@ jobs:
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
        with:
          go-version: "1.23"
          check-latest: true
@ -28,26 +28,19 @@ jobs:
      - name: "Go vulnerability check"
        id: govuln
        run: |
+          # Run the vulnerability check and capture its output (ignoring non-zero exit codes)
          make vulncheck 2>&1 | tee govulncheck-output.txt || true
-          echo "govulncheck_output<<EOF" >> $GITHUB_ENV
-          cat govulncheck-output.txt >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
-        continue-on-error: true
-      - name: Debug govulncheck Output
-        run: cat govulncheck-output.txt || echo "govulncheck-output.txt is empty!"
-      - name: Add comment to PR
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            github.rest.issues.createComment({
-              owner: context.repo.owner,
-              issue_number: context.issue.number,
-              repo: context.repo.repo,
-              body:  `
-                    ⚠️ **govulncheck found vulnerabilities:**
-          
-            
-                    >${{ env.govulncheck_output }}     
-            `
-            })
+
+          # Extract vulnerability identifiers from the output (e.g., GO-2025-3443)
+          vulnerabilities=$(grep -o 'GO-[0-9]\{4\}-[0-9]\+' govulncheck-output.txt | sort | uniq)
+          echo "Detected vulnerabilities: $vulnerabilities"
+
+          # Check if any vulnerability other than GO-2025-3443 exists
+          for vuln in $vulnerabilities; do
+            if [ "$vuln" != "GO-2025-3443" ]; then
+              echo "Found vulnerability $vuln, failing..."
+              exit 1
+            fi
+          done
+
+          echo "Only known vulnerability (GO-2025-3443) present. Continuing."