name: Govulncheck

on:
  workflow_dispatch:
  push:
    branches:
      - main
      - "release/**"
    paths:
      - "**.go"
      - "**/go.mod"
      - "**/go.sum"
      - ".github/workflows/test-govulncheck.yml"
  pull_request:
    paths:
      - "**.go"
      - "**/go.mod"
      - "**/go.sum"
      - ".github/workflows/test-govulncheck.yml"

jobs:
  govulncheck:
    name: govulncheck
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Install Dependencies
        run: sudo apt-get update && sudo apt-get -y install libcryptsetup-dev libvirt-dev

      - name: Setup Go environment
        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: "1.20.1"
          cache: true

      - name: Get Go submodules
        id: submods
        shell: bash
        run: |
          mods=$(go list -f '{{.Dir}}/...' -m | xargs)
          echo "Found mods: $mods"
          echo "submods=${mods}" >> "$GITHUB_OUTPUT"

      - name: Govulncheck
        shell: bash
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@6ad3e3d0781578532aaedbed543b25d7d586c746 # v0.0.0-20230110180137-6ad3e3d07815
          GOMEMLIMIT=5GiB govulncheck "${{ steps.submods.outputs.submods }}"