From 9bf1aaf4532ae4628f57db18c9e50dd33b2d56f8 Mon Sep 17 00:00:00 2001
From: Nicholas Wiersma <nick@wiersma.co.za>
Date: Thu, 14 May 2026 09:11:42 +0200
Subject: [PATCH] chore: update workdflows

---
 .github/workflows/govulncheck.yml |  2 --
 .github/workflows/govulnfix.yml   | 52 +++++++++++++++++++++++++++++++
 .github/workflows/test.yml        | 11 ++++++-
 3 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/govulnfix.yml

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 32a7d6b..fbb8bdf 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -3,8 +3,6 @@ on:
     branches:
       - main
   pull_request:
-  schedule: # Monday at 04:00 UTC
-    - cron: '0 4 * * Mon'
 
 permissions:
   contents: read
diff --git a/.github/workflows/govulnfix.yml b/.github/workflows/govulnfix.yml
new file mode 100644
index 0000000..0786677
--- /dev/null
+++ b/.github/workflows/govulnfix.yml
@@ -0,0 +1,52 @@
+name: Govulnfix
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  workflow_dispatch:
+  schedule: # Monday at 04:00 UTC
+    - cron: '0 4 * * Mon'
+
+jobs:
+  vulnfix:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        id: install-go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Download dependencies
+        run: go mod download
+        if: steps.install-go.outputs.cache-hit != 'true'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Install vulnfix
+        run: go install github.com/hamba/vulnfix@latest
+
+      - name: Run govulncheck and update go.mod
+        # govulncheck exits 3 when vulnerabilities are found; pipeline should
+        # still reach vulnfix, so we use a subshell with pipefail disabled.
+        run: |
+          set +o pipefail
+          govulncheck -json ./... | tee /tmp/vuln.json | vulnfix -o /tmp/vuln.md
+
+      - name: Open Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          branch: govulncheck/auto-fix
+          delete-branch: "true"
+          commit-message: "chore(deps): fix vulnerabilities reported by govulncheck"
+          title: "chore(deps): fix vulnerabilities reported by govulncheck"
+          body-path: /tmp/vuln.md
+          labels: security,dependencies
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a671996..74021d6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -45,7 +45,14 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go-version }}
-          check-latest: true
+          check-latest: "true"
+
+      - name: Cache Go test cache
+        uses: actions/cache@v4
+        with:
+          path: /home/runner/.cache/go-test-cache
+          key: ${{ runner.os }}-go-testcache-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-go-testcache-
 
       - name: Download dependencies
         run: go mod download
@@ -58,6 +65,8 @@ jobs:
 
       - name: Run Tests
         run: gotestsum --format pkgname -- -covermode=atomic -coverprofile=coverage.out -race ./...
+        env:
+          GOCACHE: /home/runner/.cache/go-test-cache
 
       - name: Coveralls
         uses: coverallsapp/github-action@v2