From 4ffacbbe801b90aa147af206809b8c610ccbcefb Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Wed, 24 Sep 2025 12:50:06 +0530
Subject: [PATCH] Another try at running govulncheck

---
 .github/workflows/ci.py               |  6 ++++++
 .github/workflows/codeql-analysis.yml | 14 +++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.py b/.github/workflows/ci.py
index ebf80d770..c83f522f4 100644
--- a/.github/workflows/ci.py
+++ b/.github/workflows/ci.py
@@ -266,6 +266,12 @@ def main() -> None:
         package_kitty()
     elif action == 'test':
         test_kitty()
+    elif action == 'test':
+        test_kitty()
+    elif action == 'govulncheck':
+        subprocess.check_call(['go', 'install', 'golang.org/x/vuln/cmd/govulncheck@latest'])
+        with open('govulncheck.sarif', 'wb') as f:
+            subprocess.check_call(['govulncheck', '-format', 'sarif', './...'], stdout=f)
     elif action == 'gofmt':
         q = subprocess.check_output('gofmt -s -l tools kittens'.split()).decode()
         if q.strip():
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 19ba1f743..b77fe919c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,9 +9,6 @@ on:
     schedule:
         - cron: '0 22 * * 5'
 
-permissions:
-    contents: read # to fetch code (actions/checkout)
-
 jobs:
     CodeQL-Build:
 
@@ -67,3 +64,14 @@ jobs:
 
         - name: Perform CodeQL Analysis
           uses: github/codeql-action/analyze@v3
+
+        - name: Run govulncheck
+          if: matrix.language == 'go'
+          run: python3 .github/workflows/ci.py govulncheck
+
+        - name: Upload govulncheck results
+          if: matrix.language == 'go'
+          uses: github/codeql-action/upload-sarif@v3
+          with:
+              sarif_file: govulncheck.sarif
+              category: govulncheck