chore: add govulncheck check for validator

.github/workflows/validator-tests.yaml

@@ -2,32 +2,35 @@ name: Validator Tests
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 jobs:
   check-schema:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: '~1.22'
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "~1.22"
 
-    # TODO: Publish releases
-    - name: Build
-      run: make validator
+      - name: Run govulncheck
+        run: |
+          make -C validator govulncheck
 
-    - name: Test
-      run: |
-        cd validator
-        go test .
+      # TODO: Publish releases
+      - name: Build
+        run: make validator
 
-    - name: Run ShellTests
-      run: |
-        make validator-run-shelltests
+      - name: Test
+        run: |
+          cd validator
+          go test .
 
+      - name: Run ShellTests
+        run: |
+          make validator-run-shelltests

.gitignore

@@ -28,3 +28,4 @@ out
 # validator binary
 otel_config_validator
 validator/schema
+validator/.tools

Makefile

@@ -1,3 +1,6 @@
+# Copyright The OpenTelemetry Authors
+# SPDX-License-Identifier: Apache-2.0
+
 SCHEMA_FILES := $(shell find . -path './schema/*.json' -exec basename {} \; | sort)
 EXAMPLE_FILES := $(shell find . -path './examples/*.yaml' -exec basename {} \; | sort)
 $(shell mkdir -p out)

validator/Makefile

@@ -1,3 +1,6 @@
+# Copyright The OpenTelemetry Authors
+# SPDX-License-Identifier: Apache-2.0
+
 ROOT_DIR :=$(realpath $(shell dirname $(lastword $(MAKEFILE_LIST))))
 PARENT_DIR :=$(realpath ${ROOT_DIR}/../)
 CURRENT_GIT_REF :=$(shell git rev-parse --short HEAD)
@@ -7,6 +10,25 @@ DOCKER_SHELLTEST_BUILD_ARGS :=-f ${ROOT_DIR}/Dockerfile --target shelltest -t sh
 EXAMPLE_FILES := $(shell find ${ROOT_DIR}/../examples -name "*.yaml" -exec basename {} \; | sort)
 $(shell mkdir -p out)
 
+GO = go
+
+TOOLS = $(CURDIR)/.tools
+
+TOOLS_MOD_DIR := ./internal/tools
+
+$(TOOLS):
+	@mkdir -p $@
+
+$(TOOLS)/%: $(TOOLS_MOD_DIR)/go.mod | $(TOOLS)
+	cd $(TOOLS_MOD_DIR) && \
+	$(GO) build -o $@ $(PACKAGE)
+
+GOVULNCHECK = $(TOOLS)/govulncheck
+$(TOOLS)/govulncheck: PACKAGE=golang.org/x/vuln/cmd/govulncheck
+
+.PHONY: tools
+tools: $(GOVULNCHECK)
+
 validator-copy-schema:
 	mkdir -p ${ROOT_DIR}/schema
 	find ${PARENT_DIR} -path '*/schema/*.json' ! -path '*/validator/schema/*.json' -exec cp '{}' "${ROOT_DIR}/schema/" ';'
@@ -29,4 +51,8 @@ validator-build-shelltest-image:
 validator-run-shelltests: validator-build-shelltest-image
 	docker run -v ${PARENT_DIR}:/root shelltest:${CURRENT_GIT_REF} -- --plain /root/validator/shelltests
 
+.PHONY: govulncheck
+govulncheck: $(TOOLS)/govulncheck
+	$(GOVULNCHECK) ./...
+
 .PHONY: validator-validate-examples validator-copy-schema validator validator-docker-image

validator/internal/tools/go.mod

@@ -0,0 +1,13 @@
+module otel_config_validator/internal/tools
+
+go 1.22.7
+
+require golang.org/x/vuln v1.1.3
+
+require (
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
+	golang.org/x/tools v0.23.0 // indirect
+)

validator/internal/tools/go.sum

@@ -0,0 +1,18 @@
+github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU=
+github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786/go.mod h1:apVn/GCasLZUVpAJ6oWAuyP7Ne7CEsQbTnc0plM3m+o=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
+golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
+golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
+golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw=
+golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY=

validator/internal/tools/tools.go

@@ -0,0 +1,11 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build tools
+// +build tools
+
+package tools // import "otel_config_validator/internal/tools"
+
+import (
+	_ "golang.org/x/vuln/cmd/govulncheck"
+)