From 46b532a1a7e73eb8a2cb238003285f949495b04d Mon Sep 17 00:00:00 2001
From: RebeccaMahany <rebeccamahany@gmail.com>
Date: Fri, 11 Oct 2024 12:14:46 -0400
Subject: [PATCH 1/2] Manually inspect govulncheck output

---
 .github/workflows/lint.yml | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4ef21608c..5a4a6384f 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -51,9 +51,22 @@ jobs:
       - id: govulncheck
         uses: golang/govulncheck-action@v1
         with:
-           go-version-file: './go.mod'
-           check-latest: true
-           go-package: ./...
+          go-version-file: './go.mod'
+          check-latest: true
+          go-package: ./...
+          output-format: json
+          output-file: govulncheck.json
+
+      - name: Evaluate govulncheck results
+        shell: bash
+        run: |
+          findingCount=$(jq -r '.finding | select ( . != null ) | .osv' govulncheck.json | wc -l)
+          findingCount=$((findingCount + 0))
+          if [[ $findingCount -ne 0 ]]; then
+            printf "govulncheck reports %d findings" "$findingCount"
+            jq -r '.finding | select ( . != null )' govulncheck.json
+            exit 1
+          fi
 
   # This job is here as a github status check -- it allows us to move
   # the merge dependency from being on all the jobs to this single

From e8b6c55a1b59bc2674b7f3cc71c31ef2e85a1e8d Mon Sep 17 00:00:00 2001
From: RebeccaMahany <rebeccamahany@gmail.com>
Date: Fri, 11 Oct 2024 12:32:17 -0400
Subject: [PATCH 2/2] Exclude GO-2024-3166

---
 .github/workflows/lint.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 5a4a6384f..0f162d6f7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -57,10 +57,12 @@ jobs:
           output-format: json
           output-file: govulncheck.json
 
+      # Exclude GO-2024-3166 since we do not believe it applies to go-tuf before v2, and additionally
+      # because we do not believe it applies to our usage since we do not use delegates.
       - name: Evaluate govulncheck results
         shell: bash
         run: |
-          findingCount=$(jq -r '.finding | select ( . != null ) | .osv' govulncheck.json | wc -l)
+          findingCount=$(jq -r '.finding | select ( . != null ) | .osv | select ( . != "GO-2024-3166")' govulncheck.json | wc -l)
           findingCount=$((findingCount + 0))
           if [[ $findingCount -ne 0 ]]; then
             printf "govulncheck reports %d findings" "$findingCount"