add govulncheck for scanning vulnerabilities

Signed-off-by: Davanum Srinivas <[email protected]>

Author: dims

.github/workflows/govulncheck.yml

@@ -0,0 +1,89 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Go Vulnerability Check
+
+on:
+  push:
+    branches:
+      - main
+      - "pull-request/[0-9]+"
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/*.yaml'
+      - '.github/*.yml'
+      - '.github/headers/**'
+    tags:
+      - 'v*'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: write
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - component: data-models
+          - component: commons
+          - component: platform-connectors
+          - component: store-client-sdk
+          - component: health-events-analyzer
+          - component: fault-quarantine-module
+          - component: fault-remediation-module
+          - component: labeler-module
+          - component: node-drainer-module
+          - component: janitor
+          - component: syslog-health-monitor
+            path: health-monitors/syslog-health-monitor
+          - component: csp-health-monitor
+            path: health-monitors/csp-health-monitor
+          - component: tests
+          - component: simple-health-client
+            path: tilt/simple-health-client
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Setup build environment
+        uses: ./.github/actions/setup-ci-env
+
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@62ad9673df2c2c40aa21cb7fde77b30c3fd9c5d1  # v1.0.4
+        with:
+          go-package: ./${{ matrix.path || matrix.component }}
+          work-dir: ${{ matrix.path || matrix.component }}
+
+      - name: Post results to PR
+        if: failure() && startsWith(github.ref, 'refs/heads/pull-request/')
+        run: |
+          PR_NUM="${{ github.ref }}"
+          PR_NUM="${PR_NUM##*/}"
+          echo "🚨 **Vulnerabilities found in ${{ matrix.component }}**" | gh pr comment "$PR_NUM" --body-file=-
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}