---

name: Vulnerability checks

permissions:
  actions: read
  checks: read
  contents: read
  deployments: read
  issues: read
  discussions: read
  pull-requests: read
  repository-projects: read
  security-events: read
  statuses: read

on:
  push:
  pull_request:
  schedule: # daily at 10:22 UTC
    - cron: '22 10 * * *'
  workflow_dispatch:

jobs:
  vuln:
    name: Test vulnerabilities
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v6
      with:
        submodules: recursive

    - name: Setup Go
      uses: actions/setup-go@v6
      with:
        go-version-file: go.mod
        cache: true

    - name: Check for vulnerabilities
      run: |
        go run golang.org/x/vuln/cmd/govulncheck@latest ./...