Fix long-term GitHub Actions failures and remediate govulncheck CVE findings

[Copilot]

Summary

Resolve recurring CI failures in the Test & Build workflow, including golangci-lint breakage and govulncheck checkout/auth issues, and address the vulnerability reported by govulncheck.

Changes

• Updated golangci/golangci-lint-action usage to:
  • version: latest
  • install-mode: goinstall
• Updated golang/govulncheck-action usage to set:
  • repo-checkout: false
• Upgraded vulnerable dependency:
  • golang.org/x/net from v0.49.0 to v0.53.0 (fix for GO-2026-4918)
• Resulting compatible indirect updates:
  • golang.org/x/crypto to v0.50.0
  • golang.org/x/term to v0.42.0
  • golang.org/x/text to v0.36.0

Why this fixes it long-term

• golangci-lint is no longer pinned to an older binary built with an older Go toolchain, avoiding future mismatches as the repository Go version advances.
• govulncheck no longer performs an extra internal checkout on top of the job checkout, preventing duplicate GitHub auth header issues that caused fetch failures.
• The govulncheck-reported vulnerability is remediated by moving golang.org/x/net to the reported fixed version.

Validation

• Investigated failing workflow run logs via GitHub Actions MCP:
  • golangci-lint: Go version compatibility error in pinned linter binary
  • govulncheck: duplicate Authorization header caused git fetch HTTP 400
  • govulncheck: reported GO-2026-4918 in golang.org/x/net@v0.49.0, fixed in v0.53.0
• Local validation:
  • Workflow YAML parses successfully
  • go test ./pkg/metrics ./pkg/client/... succeeds
  • make build succeeds
• Dependency advisory check:
  • No vulnerabilities found in updated Go dependencies

Notes

• A full local govulncheck re-run could not complete in this environment due transient DNS resolution failure for vuln.go.dev; CI remains the source of truth for the workflow scan result.

[Copilot]

Pull request overview

Updates the repository’s main Go CI workflow (Test & Build) to address recurring GitHub Actions failures in the lint and govulncheck jobs by adjusting how the tools are installed and how repository checkout is handled.

Changes:

• Adjust golangci-lint action configuration to install via goinstall and track version: latest.
• Configure golang/govulncheck-action to skip its internal repo checkout (repo-checkout: false) and rely on the job’s checkout.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[davidcollom]

@copilot looks like we have some CVEs that need addressing from the recent govulncheck check... Let's fix them please

[Copilot]

@copilot looks like we have some CVEs that need addressing from the recent govulncheck check... Let's fix them please

Addressed in 991aaa4: upgraded golang.org/x/net from v0.49.0 to v0.53.0 (the govulncheck-reported fixed version for GO-2026-4918), with compatible indirect x/* updates in go.mod/go.sum. Targeted tests and build pass locally (go test ./pkg/metrics ./pkg/client/... and make build).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• vuln.go.dev
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • Triggering command: /tmp/go-build1421532942/b001/exe/govulncheck /tmp/go-build1421532942/b001/exe/govulncheck ./... -mtune=generic -march=x86-64 nux-�� t nux-amd64/src/ru--64 0.1-go1.25.10.li-o (dns block)
  • Triggering command: /home/REDACTED/go/bin/govulncheck /home/REDACTED/go/bin/govulncheck -show verbose ./... -W ux-amd64/src/run--gdwarf-5 ux-amd64/src/map--64 0.1-go1.26.0.lin-o 1860447/b173/ --gdwarf2 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

[aidy]

I don't think that this should be 7 commits for dependency updates + a minor CI modification; please rebase.

[davidcollom]

@aidy does it matter? the default merge is squashed anyway.

[aidy]

There are effectively two functional changes here - one is to update the dependencies, one is to modify the CI action.

Those are distinct and separate things, and so should be separate commits so that they could be independently reverted, should it be necessary, and to facilitate effective use of git bisect.

Ideally, this would be two distinct PRs.

[davidcollom]

Ideally, this would be two distinct PRs.

Yea, Ideally - but again, does it really matter - given the fact no one else has contributed to the project for months - I'm even reluctant to even care about this project anymore.

one is to update the dependencies, one is to modify the CI action

This is true, but to resolve the pipeline, means we need to resolve the dependencies due to govulncheck failing... https://github.com/jetstack/version-checker/actions/runs/27133213187/job/80079106856