Add vulncheck to dev-v2

.github/workflows/ci.yml

@@ -49,6 +49,17 @@ jobs:
           args: -c ../scripts/.golangci.yml
           skip-cache: true
 
+  vulnerability-scan:
+    name: Vulnerability Scan
+    uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
+    with:
+      # Use PR head SHA for pull requests (supports PRs from forks).
+      # Fallback to ref name for other contexts.
+      target-branch: ${{ github.event.pull_request.head.sha || github.ref_name }}
+
   unit-test:
     name: Unit Tests
     runs-on: ubuntu-24.04

.github/workflows/nightly-scans.yml

@@ -0,0 +1,18 @@
+name: nightly-scans.yml
+on:
+  schedule:
+    - cron: '0 2 * * *'  # Runs daily at 2:00 AM UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  scan-v2:
+    name: Vulnerability Scan - dev-v2
+    uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
+    with:
+      target-branch: 'dev-v2'

.github/workflows/vulncheck.yml

@@ -0,0 +1,60 @@
+name: vulncheck.yaml
+on:
+  workflow_call:
+    inputs:
+      target-branch:
+        description: 'Target branch to run govulncheck against'
+        type: string
+        required: true
+        default: 'dev-v2'
+  workflow_dispatch:
+    inputs:
+      target-branch:
+        description: 'Target branch to run govulncheck against'
+        required: true
+        default: 'dev-v2'
+
+permissions:
+  contents: read
+
+jobs:
+  vulncheck:
+    name: Vulnerability Check
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write # for reporting vulnerabilities via code-scanning API
+    env:
+      GOPROXY: "https://proxy.golang.org,direct"
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+          # Use inputs.target-branch which can be a branch name or SHA.
+          # Falls back to github.ref_name or 'main' if not provided.
+          ref: ${{ inputs.target-branch || github.ref_name || 'dev-v2' }}
+
+      - name: Check Go version
+        id: get-go-version
+        run: |
+          echo "Reading from go.mod"
+          GO_VERSION=$(grep -E "^toolchain " go.mod | awk -F' ' '{print $2}' | tr -d 'go')
+          echo "Found $GO_VERSION"
+          echo "go-version="$GO_VERSION"" >> $GITHUB_OUTPUT
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ steps.get-go-version.outputs.go-version }}
+          check-latest: true
+          cache: true
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.3.0
+
+      - name: Run govulncheck
+        id: govulncheck
+        run: |
+          # Scan only non-test packages to avoid false positives from test-only dependencies
+          govulncheck -scan=symbol $(go list ./... | grep -v '/test/')