✨ Allowing better configuration for the action

.github/workflows/integration.yml

@@ -10,4 +10,6 @@ jobs:
         shell: bash
       - name: Integration Test
         id: integration-test
-        uses: Templum/govulncheck-action@main
+        uses: Templum/govulncheck-action@feature/2
+        with:
+          go-version: 1.18.3

Dockerfile

@@ -1,10 +1,9 @@
+ARG GOLANG_VERSION=1.19
 FROM golang:1.19 as builder
 
 WORKDIR /go/src/github.com/Templum/govulncheck-action/
 ENV GO111MODULE=on
 
-RUN CGO_ENABLED=0 go install golang.org/x/vuln/cmd/govulncheck@latest
-
 COPY go.mod go.sum  ./
 RUN go mod download
 
@@ -13,8 +12,9 @@ COPY . .
 # Statically compile our app for use in a distroless container
 RUN CGO_ENABLED=0 go build -ldflags="-w -s" -v -o action .
 
-FROM golang:1.19
-COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action
-COPY --from=builder /go/bin/govulncheck /usr/local/bin/govulncheck
+FROM golang:$GOLANG_VERSION
+ARG VULNCHECK_VERSION=latest 
+RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION
 
+COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action
 ENTRYPOINT ["/action"]

action.yml

@@ -6,17 +6,28 @@ inputs:
     description: "The package you want to scan, by default will be ./..."
     required: false
     default: "./..."
+  go-version:
+    description: "Can be any Tag for the golang docker image, but should ideally match your runtime go version. By default 1.19 is assumed"
+    required: false
+    default: "1.19"
+  vulncheck-version:
+    description: "Version of govulncheck that should be used, by default latest"
+    required: false
+    default: "latest"
   github-token:
     description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value"
     default: ${{ github.token }}
-    required: true
+    required: false
 
 runs:
-  using: "docker"
-  image: "Dockerfile"
-  env:
-    GITHUB_TOKEN: "${{ inputs.github-token }}"
-    PACKAGE: "${{ inputs.package }}"
+  using: "composite"
+  steps:
+    - id: build
+      run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -t templum/govulncheck-action:local .
+      shell: bash
+    - id: run
+      run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
+      shell: bash
 
 branding:
   icon: "alert-octagon"

old.action.yml

@@ -0,0 +1,23 @@
+name: "Golang Vulncheck"
+description: "Performs vulnerability scan using govulncheck and afterwards uploads it as Sarif Report to Github"
+author: "Templum"
+inputs:
+  package:
+    description: "The package you want to scan, by default will be ./..."
+    required: false
+    default: "./..."
+  github-token:
+    description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value"
+    default: ${{ github.token }}
+    required: true
+
+runs:
+  using: "docker"
+  image: "Dockerfile"
+  env:
+    GITHUB_TOKEN: "${{ inputs.github-token }}"
+    PACKAGE: "${{ inputs.package }}"
+
+branding:
+  icon: "alert-octagon"
+  color: "red"