name: govulncheck

on:
  schedule:
    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
  workflow_dispatch: # allow manual trigger for testing
  pull_request:
    paths:
      - ".github/workflows/govulncheck.yml"

jobs:
  source-scan:
    runs-on: ubuntu-latest

    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v4

      - name: Install govulncheck
        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest

      - name: Scan source code for known vulnerabilities
        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...

      - uses: ruby/action-slack@v3.2.1
        with:
          payload: >
            {
              "attachments": [{
                "title": "${{ job.status }}: ${{ github.workflow }}",
                "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",
                "text": "${{ github.repository }}@${{ github.sha }}",
                "color": "danger"
              }]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        if: failure() && github.event_name == 'schedule'