Hi @kylecarbs. What do you think about running this security analysis?

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

@ghuntley. You may close this if not planned.

I think this is good to merge but I would like approval from @ElliotG first. I will ask them in slack

Elliot is unavailable at the moment so once Mathias approves we can merge.

With bcde5f3 it now runs faster (still pretty slow @ 7+ minutes though). It's a bit of an ugly hack but it works.

The go mod download seems useless though, the perform analysis step does it's own download/module install even though we do the download beforehand.

https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302

Actually, we may want to put back the manual installation of specific Go version, just spotted this output:

2022/12/20 11:10:43 Autobuilder was built with go1.19.3, environment has go1.18.9
[52](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:53)
  2022/12/20 11:10:43 LGTM_SRC is /home/runner/work/coder/coder
[53](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:54)
  2022/12/20 11:10:43 Found go.mod, enabling go modules
[54](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:55)
  go: go.mod file indicates go 1.19, but maximum version supported by tidy is 1.18
[55](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:56)

Since we use go 1.19, I'm guessing it'd be good for the environment to be go 1.19 as well.

Actually, we may want to put back the manual installation of specific Go version, just spotted this output:

2022/12/20 11:10:43 Autobuilder was built with go1.19.3, environment has go1.18.9
[52](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:53)
  2022/12/20 11:10:43 LGTM_SRC is /home/runner/work/coder/coder
[53](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:54)
  2022/12/20 11:10:43 Found go.mod, enabling go modules
[54](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:55)
  go: go.mod file indicates go 1.19, but maximum version supported by tidy is 1.18
[55](https://github.com/coder/coder/actions/runs/3739932860/jobs/6347716302#step:5:56)

Since we use go 1.19, I'm guessing it'd be good for the environment to be go 1.19 as well.

Removed go mod download and added the go 1.19 installation back.

Removed go mod download and added the go 1.19 installation back.

👍

I noticed the rm Makefile also got removed. Without it the analysis step (for Go) downloads node modules and builds the site package (and other make commands as well). It adds unneeded execution time. I would love another way to disable it though but found nothing in the docs.

Removed go mod download and added the go 1.19 installation back.

👍

I noticed the rm Makefile also got removed. Without it the analysis step (for Go) downloads node modules and builds the site package (and other make commands as well). It adds unneeded execution time. I would love another way to disable it though but found nothing in the docs.

Added that back @mafredri But still taking +7 minutes.

Added that back @mafredri But still taking +7 minutes.

Thanks. Yeah it's too bad. I'm not sure if we can beat the 7min by much but I tried adding go mod caching in hopes that it'd save some time, let's see.

EDIT: Nice, down to a bit over 5min.

Thought it’d be nice to get this in so I hit merge. Thanks for your contribution @matifali! (We can always iterate on this further if something needs tweaking.)