ci(go): add govulncheck and bump Go to 1.25.11#378
Conversation
Run govulncheck in the Go workflow on every PR and upgrade the toolchain to Go 1.25.11 to clear reachable stdlib vulnerabilities. Signed-off-by: Giulio Calzolari <gcalzolari@nvidia.com>
Greptile SummaryThis PR bumps the Go toolchain from 1.25.9 to 1.25.11 across
Confidence Score: 5/5Straightforward toolchain bump and additive CI job; all changes are mechanical and consistent across the codebase. The Go version is updated uniformly across go.mod, Dockerfile, and all four CI jobs with no discrepancies. The new govulncheck job uses a pinned tool version, mirrors the runner and timeout of the existing jobs, and does not modify any application logic. Documentation and changelog entries are accurate and correctly placed. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
push[Push / Pull Request] --> check
push --> test
push --> build
push --> govulncheck
check["check job\n(lint via golangci-lint)\nGo 1.25.11"]
test["test job\n(go test + coverage)\nGo 1.25.11"]
build["build job\n(make build)\nGo 1.25.11"]
govulncheck["govulncheck job NEW\n(govulncheck@v1.1.4 ./...)\nGo 1.25.11"]
check --> pass[CI Pass]
test --> pass
build --> pass
govulncheck --> pass
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
push[Push / Pull Request] --> check
push --> test
push --> build
push --> govulncheck
check["check job\n(lint via golangci-lint)\nGo 1.25.11"]
test["test job\n(go test + coverage)\nGo 1.25.11"]
build["build job\n(make build)\nGo 1.25.11"]
govulncheck["govulncheck job NEW\n(govulncheck@v1.1.4 ./...)\nGo 1.25.11"]
check --> pass[CI Pass]
test --> pass
build --> pass
govulncheck --> pass
Reviews (2): Last reviewed commit: "fix(ci): address Greptile review on CHAN..." | Re-trigger Greptile |
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Signed-off-by: Giulio Calzolari <9049490+giuliocalzo@users.noreply.github.com>
Keep PR NVIDIA#377 OCI/Helm entries under Added and pin govulncheck to v1.1.4 for reproducible CI scans. Signed-off-by: Giulio Calzolari <gcalzolari@nvidia.com>
Summary
govulncheckjob to.github/workflows/go.yml(symbol-level scan viago run golang.org/x/vuln/cmd/govulncheck@latest ./...)go.mod,Dockerfile, and all CIsetup-gosteps to address 9 reachable stdlib vulnerabilities on 1.25.9AGENTS.md,.claude/CLAUDE.md, andCHANGELOG.mdTest plan
govulncheckreports no reachable vulnerabilities on Go 1.25.11make buildsucceeds locally with Go 1.25.11