fix(ci): Add comment if govulncheck fails

[elizabethhealy]

Proposed Changes

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

• Chores
  • CI vulnerability scans no longer fail the job; scan failures are tolerated so pipelines continue.
  • Failing scan results are captured and uploaded as short-retention artifacts for investigation.
  • An automated PR comment is created or refreshed to summarize modules with scan failures, and the summary is removed if no results are available.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 18d17f1f-9538-42f3-9313-75f0bc6cf535

📥 Commits

Reviewing files that changed from the base of the PR and between 28fe277 and 3030150.

📒 Files selected for processing (1)

• .github/workflows/checks.yaml

---

📝 Walkthrough

Walkthrough

Renames and reconfigures the Go vulnerability scan step to continue-on-error, records failing module paths as short-lived artifacts per matrix job, and adds a follow-up job that aggregates those artifacts and posts or removes a sticky PR comment summarizing govulncheck failures.

Changes

Cohort / File(s)

Summary

Go vulnerability workflow \.github/workflows/checks.yaml

Renamed govulncheck step, added id: govulncheck and continue-on-error: true; on failure writes module path to /tmp/govulncheck-failure-${{ strategy.job-index }}.txt and uploads as short-retention artifact. Added comment-govulncheck job to download govulncheck-failure-* artifacts, aggregate failing module paths into markdown, and create/update or delete a sticky PR comment with header govulncheck-results.

Sequence Diagram(s)

sequenceDiagram
  participant Runner as "Matrix Runner"
  participant Actions as "GitHub Actions Artifacts"
  participant CommentJob as "comment-govulncheck Job"
  participant GitHubPR as "GitHub PR Comments"

  Runner->>Runner: run `govulncheck` (continue-on-error)
  alt vuln check fails
    Runner->>Actions: upload `govulncheck-failure-<index>.txt` (short retention)
  end
  Note over Actions,CommentJob: After `go` job finishes
  CommentJob->>Actions: download all `govulncheck-failure-*` artifacts
  alt artifacts downloaded
    CommentJob->>CommentJob: aggregate module paths into markdown
    CommentJob->>GitHubPR: create/update sticky comment header "govulncheck-results"
  else no artifacts
    CommentJob->>GitHubPR: delete existing sticky comment "govulncheck-results"
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(ci): Dont fail on govulncheck #3257: Modifies the same govulncheck step naming/behavior and aims to avoid failing CI while surfacing govulncheck results.

Suggested reviewers

• pflynn-virtru
• jakedoublev

Poem

🐰 I hopped through workflows, tidy and quick,
Saved module names when checks made me tick,
Bundled their notes in short-lived files,
Posted a friendly PR with sticky smiles,
A rabbit's nudge to keep builds slick.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: adding a comment when govulncheck fails in CI, which aligns with the raw summary showing a new comment-govulncheck job that posts PR comments when vulnerability scans fail.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-comment-if-govulncheck-fails

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	186.559837ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	101.093414ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	385.725873ms
Throughput	259.25 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.755413912s
Average Latency	395.576394ms
Throughput	125.77 requests/second

[github-actions]

X-Test Results

✅ go-pull-3258
✅ java-pull-3258
✅ go-v0.9.0
✅ js-pull-3258
✅ java-v0.9.0
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformNWI6PH.dockerbuild
govulncheck-failure-7
govulncheck-failure-2

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	194.013746ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	91.756283ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	360.498903ms
Throughput	277.39 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	37.884927261s
Average Latency	376.593947ms
Throughput	131.98 requests/second

[github-actions]

X-Test Failure Report

✅ go-v0.9.0
✅ java-pull-3258
✅ js-pull-3258
✅ java-v0.9.0
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformOWO48P.dockerbuild
govulncheck-failure-2
govulncheck-failure-7

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	186.172961ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	95.466967ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	385.797447ms
Throughput	259.20 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.318866627s
Average Latency	400.530704ms
Throughput	124.01 requests/second

[github-actions]

X-Test Failure Report

test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformWX6J5P.dockerbuild
govulncheck-failure-7
govulncheck-failure-2

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/checks.yaml:
- Around line 160-166: Replace the non-paginated call to
github.rest.issues.listComments with github.paginate to retrieve all comment
pages before searching for the marker; specifically, use
github.paginate(github.rest.issues.listComments, { owner: context.repo.owner,
repo: context.repo.repo, issue_number: context.issue.number }) to collect all
comments into the comments array and then run the existing find(c =>
c.body.includes(marker)) logic (so the existing variable names comments and
existing remain usable).
- Around line 121-126: The job currently gated by the `if` expression and
`needs: go` (see the `if:` line and the `needs: go` entry, likely in the
comment-govulncheck job) will be skipped when the `go` job fails; wrap the
entire existing condition with GitHub's always() so the job runs regardless of
dependency outcome (e.g. change the `if:` to use always(...) around
`github.event_name == 'pull_request' &&
!github.event.pull_request.head.repo.fork && !cancelled()`), keeping `needs: go`
intact so it still waits for the go job but still executes even if that job
fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7bc3c916-6cb1-4db8-a45f-dffbef25dbb8

📥 Commits

Reviewing files that changed from the base of the PR and between f04a385 and bb114b0.

📒 Files selected for processing (1)

• .github/workflows/checks.yaml

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	188.586074ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	98.771706ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	383.154686ms
Throughput	260.99 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.89018322s
Average Latency	396.732581ms
Throughput	125.34 requests/second

[github-actions]

X-Test Failure Report

test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformZG0DFZ.dockerbuild
govulncheck-failure-2
govulncheck-failure-7

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	196.938051ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	101.671584ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	377.570925ms
Throughput	264.85 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.220710222s
Average Latency	400.53094ms
Throughput	124.31 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• service
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go-pull-3258
✅ go-v0.9.0
✅ java-pull-3258
✅ java-v0.9.0
✅ js-v0.9.0
✅ js-pull-3258
test-cases-mapping-report
cukes-report
bats-test-results
opentdfplatformZO6WFP.dockerbuild
govulncheck-failure-2
govulncheck-failure-7

[jakedoublev]

Can we please use the sticky comment reusable GHA? https://github.com/marocchino/sticky-pull-request-comment

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	207.764302ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	105.886514ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	398.010063ms
Throughput	251.25 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.977894008s
Average Latency	407.653615ms
Throughput	122.02 requests/second

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/checks.yaml:
- Around line 128-135: The workflow currently checks steps.download.outcome to
detect "no artifacts" but actions/download-artifact sets outputs.download-path
to empty when pattern matches nothing; update the logic that references the
download step (step id "download" using actions/download-artifact@...) to test
steps.download.outputs.download-path == '' to detect the zero-artifact case and
delete the sticky comment only in that branch, and let real download/API
failures surface (remove or rework continue-on-error on the "download" step so
failures fail the job or handle them explicitly).
- Around line 74-89: The workflow currently sets continue-on-error: true for the
golang/govulncheck-action which lets the matrix leg pass even when
steps.govulncheck.outcome == 'failure'; after the artifact-upload step (uses:
actions/upload-artifact...) add a final conditional step gated by if:
steps.govulncheck.outcome == 'failure' that runs a simple failing command (e.g.,
run: exit 1) to re-fail the matrix leg so the top-level CI blocks on
vulnerabilities; ensure this new step comes after the upload so the artifact is
always saved before exiting non-zero.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4c44ab0f-486f-4d3f-bbbe-ed8fc8f9947a

📥 Commits

Reviewing files that changed from the base of the PR and between dcc28ae and 28fe277.

📒 Files selected for processing (1)

• .github/workflows/checks.yaml

[github-actions]

X-Test Results

✅ go-pull-3258
✅ go-v0.9.0
✅ java-pull-3258
✅ java-v0.9.0
✅ js-pull-3258
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformJN1UBM.dockerbuild
govulncheck-failure-2
govulncheck-failure-7

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	189.093663ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.634053ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	386.388002ms
Throughput	258.81 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.151949975s
Average Latency	400.015864ms
Throughput	124.53 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• service
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go-pull-3258
✅ go-v0.9.0
✅ java-pull-3258
✅ js-pull-3258
✅ java-v0.9.0
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformB2H6VP.dockerbuild
govulncheck-failure-7
govulncheck-failure-2