Fix long-term GitHub Actions failures and remediate govulncheck CVE findings

[Copilot]

Summary

Resolve recurring CI failures in the Test & Build workflow, including golangci-lint breakage and govulncheck checkout/auth issues, and address the vulnerability reported by govulncheck.

Changes

• Updated golangci/golangci-lint-action usage to:
  • version: latest
  • install-mode: goinstall
• Updated golang/govulncheck-action usage to set:
  • repo-checkout: false
• Upgraded vulnerable dependency:
  • golang.org/x/net from v0.49.0 to v0.53.0 (fix for GO-2026-4918)
• Resulting compatible indirect updates:
  • golang.org/x/crypto to v0.50.0
  • golang.org/x/term to v0.42.0
  • golang.org/x/text to v0.36.0

Why this fixes it long-term

• golangci-lint is no longer pinned to an older binary built with an older Go toolchain, avoiding future mismatches as the repository Go version advances.
• govulncheck no longer performs an extra internal checkout on top of the job checkout, preventing duplicate GitHub auth header issues that caused fetch failures.
• The govulncheck-reported vulnerability is remediated by moving golang.org/x/net to the reported fixed version.

Validation

• Investigated failing workflow run logs via GitHub Actions MCP:
  • golangci-lint: Go version compatibility error in pinned linter binary
  • govulncheck: duplicate Authorization header caused git fetch HTTP 400
  • govulncheck: reported GO-2026-4918 in golang.org/x/net@v0.49.0, fixed in v0.53.0
• Local validation:
  • Workflow YAML parses successfully
  • go test ./pkg/metrics ./pkg/client/... succeeds
  • make build succeeds
• Dependency advisory check:
  • No vulnerabilities found in updated Go dependencies

Notes

• A full local govulncheck re-run could not complete in this environment due transient DNS resolution failure for vuln.go.dev; CI remains the source of truth for the workflow scan result.

[Copilot]

Pull request overview

Updates the repository’s main Go CI workflow (Test & Build) to address recurring GitHub Actions failures in the lint and govulncheck jobs by adjusting how the tools are installed and how repository checkout is handled.

Changes:

• Adjust golangci-lint action configuration to install via goinstall and track version: latest.
• Configure golang/govulncheck-action to skip its internal repo checkout (repo-checkout: false) and rely on the job’s checkout.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[davidcollom]

@copilot looks like we have some CVEs that need addressing from the recent govulncheck check... Let's fix them please

[Copilot]

@copilot looks like we have some CVEs that need addressing from the recent govulncheck check... Let's fix them please

Addressed in 991aaa4: upgraded golang.org/x/net from v0.49.0 to v0.53.0 (the govulncheck-reported fixed version for GO-2026-4918), with compatible indirect x/* updates in go.mod/go.sum. Targeted tests and build pass locally (go test ./pkg/metrics ./pkg/client/... and make build).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• vuln.go.dev
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • Triggering command: /tmp/go-build1421532942/b001/exe/govulncheck /tmp/go-build1421532942/b001/exe/govulncheck ./... -mtune=generic -march=x86-64 nux-�� t nux-amd64/src/ru--64 0.1-go1.25.10.li-o (dns block)
  • Triggering command: /home/REDACTED/go/bin/govulncheck /home/REDACTED/go/bin/govulncheck -show verbose ./... -W ux-amd64/src/run--gdwarf-5 ux-amd64/src/map--64 0.1-go1.26.0.lin-o 1860447/b173/ --gdwarf2 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)