From 3967a172148a5b620d9db4abe679bc21d7e9b4ea Mon Sep 17 00:00:00 2001
From: Simon <templum.dev@gmail.com>
Date: Mon, 9 Jan 2023 15:38:01 +0100
Subject: [PATCH] :sparkles: Implement support for private deps via GOPRIVATE &
 GH PAT (#21)

* :sparkles: Defined Build Args

* :sparkles: Passing args from ENV

* :wrench: Escaping

* Issue with escaping

* :wrench: Moved config to correct place

* :sparkles: Just wanting Token now

* :bug: Using add flag

* :bug: Corrected default value type

* :bug: Mixed up states

* :construction: Investigate weird behaviour

* :construction: Print GOPRIVATE

* :bug: Using correct config override

* :sparkles: Finalized Feature

* :memo: Documented feature

* :memo: Added missing link
---
 Dockerfile |  6 ++++++
 README.md  | 26 +++++++++++++++++++++++++-
 action.yml |  6 +++---
 main.go    |  1 +
 4 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6a7dd82..2beb57e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,5 +16,11 @@ FROM golang:$GOLANG_VERSION
 ARG VULNCHECK_VERSION=latest 
 RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION
 
+ARG GH_PAT_TOKEN
+RUN if [[ -n "$GH_PAT_TOKEN" ]]; then echo "No token was provided"; else git config --global --add url."https://govulncheck_action:$GH_PAT_TOKEN@github.com/".insteadOf "https://github.com/"; fi
+
+ARG GOPRIVATE
+ENV GOPRIVATE=$GOPRIVATE
+
 COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action
 ENTRYPOINT ["/action"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 91caee9..b731216 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,30 @@ jobs:
 ```
 </details>
 
+<details>
+  <summary>
+  Example configuration for repository that relies on a private library.
+  </summary>
+
+> :information_source: This action for the moment works with [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) while creating one make sure it has write-read access to the dependent repositories as this is required for `$ go get`. Further following best practices create the token with the smallest possible scope.
+
+```yaml
+name: My Workflow
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Scan for Vulnerabilities in Code
+        uses: Templum/govulncheck-action@<version>
+        env:
+          GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
+          GOPRIVATE: "github.com/your-name/private-lib"
+
+```
+</details>
+
 <details>
   <summary>
   This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact.
@@ -142,4 +166,4 @@ jobs:
 
 > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).
 
-> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
+> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
\ No newline at end of file
diff --git a/action.yml b/action.yml
index 462aac8..3b401d4 100644
--- a/action.yml
+++ b/action.yml
@@ -20,18 +20,18 @@ inputs:
     required: false
   fail-on-vuln:
     description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not"
-    default: false
+    default: "false"
     required: false
   skip-upload:
     description: "This flag allows you to skip the sarif upload, it will be instead written to disk"
-    default: false
+    default: "false"
     required: false
 
 runs:
   using: "composite"
   steps:
     - id: build
-      run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
+      run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
       shell: bash
     - id: run
       run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e DEBUG=${DEBUG} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
diff --git a/main.go b/main.go
index 09fb657..d628a60 100644
--- a/main.go
+++ b/main.go
@@ -39,6 +39,7 @@ func main() {
 		Str("Go-Version", info.Version).
 		Str("Go-Os", info.Os).
 		Str("Go-Arch", info.Arch).
+		Str("GOPRIVATE", os.Getenv("GOPRIVATE")).
 		Msg("GoEnvironment Details:")
 
 	logger.Debug().