Another try at running govulncheck

.github/workflows/ci.py

@@ -266,6 +266,12 @@ def main() -> None:
         package_kitty()
     elif action == 'test':
         test_kitty()
+    elif action == 'test':
+        test_kitty()
+    elif action == 'govulncheck':
+        subprocess.check_call(['go', 'install', 'golang.org/x/vuln/cmd/govulncheck@latest'])
+        with open('govulncheck.sarif', 'wb') as f:
+            subprocess.check_call(['govulncheck', '-format', 'sarif', './...'], stdout=f)
     elif action == 'gofmt':
         q = subprocess.check_output('gofmt -s -l tools kittens'.split()).decode()
         if q.strip():

.github/workflows/codeql-analysis.yml

@@ -9,9 +9,6 @@ on:
     schedule:
         - cron: '0 22 * * 5'
 
-permissions:
-    contents: read # to fetch code (actions/checkout)
-
 jobs:
     CodeQL-Build:
 
@@ -67,3 +64,14 @@ jobs:
 
         - name: Perform CodeQL Analysis
           uses: github/codeql-action/analyze@v3
+
+        - name: Run govulncheck
+          if: matrix.language == 'go'
+          run: python3 .github/workflows/ci.py govulncheck
+
+        - name: Upload govulncheck results
+          if: matrix.language == 'go'
+          uses: github/codeql-action/upload-sarif@v3
+          with:
+              sarif_file: govulncheck.sarif
+              category: govulncheck