From 7b930541cf50d9a00be49c75c06b6a09351ef027 Mon Sep 17 00:00:00 2001
From: Alex | Interchain Labs <alex@interchainlabs.io>
Date: Thu, 20 Mar 2025 14:02:37 -0400
Subject: [PATCH] fix: vuln CI job (#24079)

---
 .github/workflows/dependencies-review.yml | 41 ++++++++++-------------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/dependencies-review.yml b/.github/workflows/dependencies-review.yml
index caf7f29938..06c9b2f1a4 100644
--- a/.github/workflows/dependencies-review.yml
+++ b/.github/workflows/dependencies-review.yml
@@ -5,7 +5,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write  # Allow commenting on PRs
 
 jobs:
   dependency-review:
@@ -13,7 +12,8 @@ jobs:
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
         with:
           go-version: "1.23"
           check-latest: true
@@ -28,26 +28,19 @@ jobs:
       - name: "Go vulnerability check"
         id: govuln
         run: |
+          # Run the vulnerability check and capture its output (ignoring non-zero exit codes)
           make vulncheck 2>&1 | tee govulncheck-output.txt || true
-          echo "govulncheck_output<<EOF" >> $GITHUB_ENV
-          cat govulncheck-output.txt >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
-        continue-on-error: true
-      - name: Debug govulncheck Output
-        run: cat govulncheck-output.txt || echo "govulncheck-output.txt is empty!"
-      - name: Add comment to PR
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            github.rest.issues.createComment({
-              owner: context.repo.owner,
-              issue_number: context.issue.number,
-              repo: context.repo.repo,
-              body:  `
-                    ⚠️ **govulncheck found vulnerabilities:**
-          
-            
-                    >${{ env.govulncheck_output }}     
-            `
-            })
\ No newline at end of file
+
+          # Extract vulnerability identifiers from the output (e.g., GO-2025-3443)
+          vulnerabilities=$(grep -o 'GO-[0-9]\{4\}-[0-9]\+' govulncheck-output.txt | sort | uniq)
+          echo "Detected vulnerabilities: $vulnerabilities"
+
+          # Check if any vulnerability other than GO-2025-3443 exists
+          for vuln in $vulnerabilities; do
+            if [ "$vuln" != "GO-2025-3443" ]; then
+              echo "Found vulnerability $vuln, failing..."
+              exit 1
+            fi
+          done
+
+          echo "Only known vulnerability (GO-2025-3443) present. Continuing."