Add a workflow to auto-bump vulnerable dependencies#5437
Merged
Conversation
Adds a daily workflow that upgrades the root module's dependencies flagged by govulncheck to their fixed versions and opens a PR. The tools/vulnbump command parses the scan JSON, applies the bumps via go get + go mod tidy, and renders the PR summary. Standard-library advisories are left to the Bump Go toolchain workflow. Co-authored-by: Isaac
Add govulncheck to the tools/go.mod tool directive and build it from there, so its version is managed alongside the other tools (and bumpable by dependabot) rather than hardcoded as @Version in the workflow. The vulnerability database is still fetched from vuln.go.dev at runtime, so the pinned binary scans against the latest advisories. Also point setup-go at tools/go.mod, the module this job compiles. Co-authored-by: Isaac
Use `go tool -modfile=tools/go.mod govulncheck`, matching the repo's GO_TOOL idiom in Taskfile.yml. -modfile resolves the pinned tool from tools/go.mod while it scans the root module (the working directory), so there's no need to build the binary first. Co-authored-by: Isaac
Tests run from the package directory, so the fixture can be read with os.ReadFile rather than //go:embed. Co-authored-by: Isaac
Collaborator
|
Commit: 3852f44
27 interesting tests: 15 SKIP, 7 KNOWN, 5 flaky
Top 23 slowest tests (at least 2 minutes):
|
renaudhartert-db
approved these changes
Jun 4, 2026
denik
approved these changes
Jun 5, 2026
denik
reviewed
Jun 5, 2026
| with: | ||
| branch: auto/bump-vuln-deps | ||
| commit-message: "Bump dependencies with known vulnerabilities" | ||
| title: "Bump dependencies with known vulnerabilities" |
Contributor
There was a problem hiding this comment.
nit: we could also write small file with list of upgraded deps and pass it to title
| if err := runCmd(dir, "go", "mod", "tidy"); err != nil { | ||
| return err | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
Pretty simple - nice. I wonder if we need dependabot or can use this also for patch releases.
Contributor
Author
There was a problem hiding this comment.
I suspect this is limited to the vulnerability patches and not arbitrary releases.
Rely on set -euo pipefail to abort on govulncheck failure instead of an explicit if-check, and document why the create-pull-request branch is fixed. Co-authored-by: Isaac
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 8, 2026
The `bump-vuln-deps` workflow added in #5437 runs on the protected runner group, which can't reach `proxy.golang.org`, so building vulnbump failed. Add the `Setup JFrog` step (and the `id-token: write` it needs) to route module downloads through Artifactory, like the other Go workflows.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a daily workflow that upgrades the root module's dependencies flagged by
govulncheckto their fixed versions and opens a PR, alongside the existingBump Go toolchainworkflow.govulncheck -scan modulereports every advisory affecting a required module regardless of reachability, which is broader than trivy (GHSA-fed, so it lagsgolang.org/x/*advisories). The newtools/vulnbumpcommand consumes the scan's JSON, bumps each affected dependency to its highest fixed version viago get+go mod tidy, and renders the PR summary.Bump Go toolchainworkflow.govulncheckerror aborts the job rather than being mistaken for "no vulnerabilities".tools/go.mod(bumpable by dependabot); its database is fetched from https://vuln.go.dev at runtime, so scans still use the latest advisories.Parsing, version selection, and summary rendering live in
tools/vulnbumpwith unit and end-to-end tests.This pull request and its description were written by Isaac.