From a29e27c3ecb3e065cc8ee32fa865591e0427b6f8 Mon Sep 17 00:00:00 2001
From: Kyle Conroy <kyle@conroy.org>
Date: Tue, 27 Jun 2023 12:58:26 -0700
Subject: [PATCH] build: Run govulncheck on all builds

---
 .github/workflows/ci.yml | 13 ++++++++++++-
 devenv.nix               |  1 +
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7149e386c9..e37c5cc870 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -50,7 +50,6 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-
     - uses: actions/setup-go@v4
       with:
         go-version: '1.20'
@@ -83,3 +82,15 @@ jobs:
       run: ./scripts/report.sh
       env:
         BUILDKITE_ANALYTICS_TOKEN: ${{ secrets.BUILDKITE_ANALYTICS_TOKEN }}
+
+  vuln_check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.20'
+    - run: go install golang.org/x/vuln/cmd/govulncheck@latest
+    - run: govulncheck ./...
diff --git a/devenv.nix b/devenv.nix
index f74b52c56b..e1250867a3 100644
--- a/devenv.nix
+++ b/devenv.nix
@@ -7,6 +7,7 @@
     pkgs.go
     pkgs.git
     pkgs.git-cliff
+    pkgs.govulncheck
     pkgs.python311
   ];
 }