From c42ba101e07895d83425c60f6417033627d21842 Mon Sep 17 00:00:00 2001
From: Thane Thomson <connect@thanethomson.com>
Date: Mon, 19 Dec 2022 20:31:52 -0500
Subject: [PATCH] ci: Add govulncheck

Signed-off-by: Thane Thomson <connect@thanethomson.com>
---
 .github/workflows/govulncheck.yml | 31 +++++++++++++++++++++++++++++++
 Makefile                          | 17 ++++++++++++++---
 2 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/govulncheck.yml

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
new file mode 100644
index 0000000..84b9959
--- /dev/null
+++ b/.github/workflows/govulncheck.yml
@@ -0,0 +1,31 @@
+name: Check for Go vulnerabilities
+# Runs https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck to proactively
+# check for vulnerabilities in code packages if there were any changes made to
+# any Go code or dependencies.
+#
+# Run `make vulncheck` from the root of the repo to run this workflow locally.
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release/**
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.18"
+      - uses: actions/checkout@v3
+      - uses: technote-space/get-diff-action@v6
+        with:
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            Makefile
+      - name: govulncheck
+        run: make vulncheck
+        if: "env.GIT_DIFF != ''"
diff --git a/Makefile b/Makefile
index 345122c..b5326ed 100644
--- a/Makefile
+++ b/Makefile
@@ -1,37 +1,48 @@
 GOPATH ?= $(shell go env GOPATH)
 BUILD_DIR ?= ./build
-.PHONY: build build-tm-load-test build-tm-outage-sim-server \
-	build-linux build-tm-load-test-linux build-tm-outage-sim-server-linux \
-	test lint clean
 .DEFAULT_GOAL := build
 BUILD_FLAGS ?= -mod=readonly
 
 build: build-tm-load-test build-tm-outage-sim-server
+.PHONY: build
 
 build-tm-load-test:
 	@go build $(BUILD_FLAGS) \
 		-ldflags "-X github.com/informalsystems/tm-load-test/pkg/loadtest.cliVersionCommitID=`git rev-parse --short HEAD`" \
 		-o $(BUILD_DIR)/tm-load-test ./cmd/tm-load-test/main.go
+.PHONY: build-tm-load-test
 
 build-tm-outage-sim-server:
 	@go build $(BUILD_FLAGS) -o $(BUILD_DIR)/tm-outage-sim-server ./cmd/tm-outage-sim-server/main.go
+.PHONY: built-tm-outage-sim-server
 
 build-linux: build-tm-load-test-linux build-tm-outage-sim-server-linux
+.PHONY: build-linux
 
 build-tm-load-test-linux:
 	GOOS=linux GOARCH=amd64 $(MAKE) build-tm-load-test
+.PHONY: build-tm-load-test-linux
 
 build-tm-outage-sim-server-linux:
 	GOOS=linux GOARCH=amd64 $(MAKE) build-tm-outage-sim-server
+.PHONY: build-tm-outage-sim-server-linux
 
 test:
 	go test -cover -race ./...
+.PHONY: test
 
 bench:
 	go test -bench="Benchmark" -run="notests" ./...
+.PHONY: bench
 
 lint:
 	golangci-lint run ./...
+.PHONY: lint
 
 clean:
 	rm -rf $(BUILD_DIR)
+.PHONY: clean
+
+vulncheck:
+	@go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+.PHONY: vulncheck