create a separate workflow for go analyse

.github/workflows/build_test_ci.yml

@@ -70,54 +70,6 @@ jobs:
         token: ${{ secrets.CODECOV_TOKEN }}
         slug: linode/cluster-api-provider-linode
 
-
-  go-analyse:
-    needs:  go-build-test
-    runs-on: ubuntu-latest
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@v2
-      with:
-        disable-sudo: true
-        egress-policy: block
-        allowed-endpoints: >
-          api.github.com:443
-          github.com:443
-          proxy.golang.org:443
-          sum.golang.org:443
-          objects.githubusercontent.com:443
-          registry-1.docker.io:443
-          auth.docker.io:443
-          production.cloudflare.docker.com:443
-          vuln.go.dev:443
-          storage.googleapis.com:443
-
-    - uses: actions/checkout@v4
-
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        check-latest: true
-
-    - name: Docker cache
-      uses: ScribeMD/[email protected]
-      with:
-        key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }}
-
-    - name: Lint
-      run: make lint
-
-    - name: Gosec
-      run: make gosec
-
-    - name: Vulncheck
-      continue-on-error: true
-      run: make vulncheck
-
-    - name: Nilcheck
-      run: make nilcheck
-
   e2e-test:
     needs:  [go-build-test, docker-build]
     runs-on: ubuntu-latest

.github/workflows/go-analyse.yml

@@ -0,0 +1,76 @@
+name: Go Analyse
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  check-noop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dorny/paths-filter@v3
+        with:
+          predicate-quantifier: 'every'
+          filters: |
+            src: 
+             - '!**/**.md'
+             - '!docs/**'
+  go-analyse:
+    needs: go-build-test
+    runs-on: ubuntu-latest
+    if: ${{ steps.filter.outputs.src == 'true' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            proxy.golang.org:443
+            sum.golang.org:443
+            objects.githubusercontent.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+            vuln.go.dev:443
+            storage.googleapis.com:443
+
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+
+      - name: lint
+        uses: golangci/golangci-lint-action@v4
+        with:
+          version: latest
+
+      - name: Nilcheck
+        run: make nilcheck
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          # we let the report trigger content trigger a failure using the GitHub Security features.
+          args: '-no-fail -fmt sarif -out scan-results.sarif ./...'
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: scan-results.sarif
+