add govulncheck for scanning vulnerabilities

Signed-off-by: Davanum Srinivas <[email protected]>

Author: dims

.github/workflows/govulncheck.yml

@@ -0,0 +1,160 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Go Vulnerability Check
+
+on:
+  push:
+    branches:
+      - main
+      - "pull-request/[0-9]+"
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/headers/**'
+    tags:
+      - 'v*'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: write
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - component: data-models
+          - component: commons
+          - component: platform-connectors
+          - component: store-client-sdk
+          - component: health-events-analyzer
+          - component: fault-quarantine-module
+          - component: fault-remediation-module
+          - component: labeler-module
+          - component: node-drainer-module
+          - component: janitor
+          - component: syslog-health-monitor
+            path: health-monitors/syslog-health-monitor
+          - component: csp-health-monitor
+            path: health-monitors/csp-health-monitor
+          - component: tests
+          - component: simple-health-client
+            path: tilt/simple-health-client
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Setup build environment
+        uses: ./.github/actions/setup-ci-env
+
+      - name: Run govulncheck
+        id: govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee  # v1.0.4
+        with:
+          work-dir: ${{ matrix.path || matrix.component }}
+        continue-on-error: true
+
+      - name: Upload vulnerability results
+        if: always() && startsWith(github.ref, 'refs/heads/pull-request/')
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+        with:
+          name: govulncheck-results-${{ matrix.component }}
+          path: |
+            results.json
+          retention-days: 1
+          if-no-files-found: ignore
+
+      - name: Create result summary
+        if: always() && startsWith(github.ref, 'refs/heads/pull-request/')
+        run: |
+          mkdir -p results
+          if [ "${{ steps.govulncheck.outcome }}" = "failure" ]; then
+            echo "${{ matrix.component }}" > results/vulnerable-component.txt
+          else
+            echo "${{ matrix.component }}" > results/clean-component.txt
+          fi
+
+      - name: Upload component result
+        if: always() && startsWith(github.ref, 'refs/heads/pull-request/')
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+        with:
+          name: component-result-${{ matrix.component }}
+          path: results/
+          retention-days: 1
+
+  report-results:
+    if: always() && startsWith(github.ref, 'refs/heads/pull-request/')
+    needs: govulncheck
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
+        with:
+          pattern: component-result-*
+          merge-multiple: true
+          path: all-results
+
+      - name: Aggregate results and post comment
+        run: |
+          PR_NUM="${{ github.ref }}"
+          PR_NUM="${PR_NUM##*/}"
+
+          # Collect vulnerable and clean components
+          vulnerable_components=""
+          clean_components=""
+
+          if ls all-results/vulnerable-component.txt &> /dev/null; then
+            vulnerable_components=$(cat all-results/vulnerable-component.txt 2>/dev/null | sort | tr '\n' ' ' || echo "")
+          fi
+
+          if ls all-results/clean-component.txt &> /dev/null; then
+            clean_components=$(cat all-results/clean-component.txt 2>/dev/null | sort | tr '\n' ' ' || echo "")
+          fi
+
+          # Only post comment if vulnerabilities were found
+          if [ -n "$vulnerable_components" ]; then
+            {
+              echo "## 🚨 Go Vulnerability Check Results"
+              echo ""
+              echo "### ⚠️ Components with vulnerabilities:"
+              for component in $vulnerable_components; do
+                echo "- **$component**"
+              done
+              echo ""
+              echo "Please review and address the vulnerabilities found in the above components."
+              echo ""
+              echo "_This comment was automatically generated by the govulncheck workflow._"
+            } | gh pr comment "$PR_NUM" --body-file=-
+
+            echo "Posted vulnerability report to PR #$PR_NUM"
+          else
+            echo "No vulnerabilities found across all components. Skipping PR comment."
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}