From 4fe746d9aa5b140ebe3775fe35598dd823d1c54b Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@kastelo.net>
Date: Thu, 20 Jul 2023 07:05:35 +0200
Subject: [PATCH] build: Run govulncheck (fixes #8983)

---
 .github/workflows/build-syncthing.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/build-syncthing.yaml b/.github/workflows/build-syncthing.yaml
index a9dcec216..b3a431028 100644
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@@ -125,6 +125,7 @@ jobs:
       - package-cross
       - package-source
       - package-debian
+      - govulncheck
     steps:
       - uses: actions/checkout@v3
 
@@ -762,3 +763,25 @@ jobs:
           platforms: linux/amd64,linux/arm64,linux/arm/7
           push: ${{ env.DOCKER_PUSH == 'true' }}
           tags: ${{ env.DOCKER_TAGS }}
+
+  #
+  # Check for known vulnerabilities in Go dependencies
+  #
+
+  govulncheck:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+          check-latest: true
+
+      - name: run govulncheck
+        run: |
+          go run build.go assets
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...