Use kernelkit/goyang instead of patched builtin

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /src/webui
+    schedule:
+      interval: weekly
+    # goyang is pinned to our kernelkit fork via a replace directive and
+    # stepped by hand when we add patches; leave it for Dependabot to ignore.
+    ignore:
+      - dependency-name: github.com/openconfig/goyang
+
+  - package-ecosystem: gomod
+    directory: /src/netbrowse
+    schedule:
+      interval: weekly

.github/workflows/govulncheck.yml

@@ -0,0 +1,68 @@
+name: Go Vulnerability Scan
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'src/webui/**'
+      - 'src/netbrowse/**'
+      - '.github/workflows/govulncheck.yml'
+  pull_request:
+    paths:
+      - 'src/webui/**'
+      - 'src/netbrowse/**'
+      - '.github/workflows/govulncheck.yml'
+  schedule:
+    - cron: '5 0 * * 6'  # Saturday at 00:05 UTC, same as Coverity
+  workflow_dispatch:
+
+jobs:
+  govulncheck:
+    if: ${{ github.repository_owner == 'kernelkit' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        module:
+          - src/webui
+          - src/netbrowse
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Scan ${{ matrix.module }}
+        working-directory: ${{ matrix.module }}
+        run: |
+          # Full report, for the run summary.  govulncheck exits non-zero
+          # whenever it finds anything, so don't let it fail the step here.
+          {
+            echo "## govulncheck: ${{ matrix.module }}"
+            echo '```'
+            govulncheck ./... || true
+            echo '```'
+          } | tee -a "$GITHUB_STEP_SUMMARY"
+
+          # Gate on vulnerabilities reachable from our code through a
+          # dependency.  govulncheck's call-graph analysis is transitive,
+          # so indirect use counts too (we call a dep that calls the bad
+          # symbol).  trace[0] is the vulnerable symbol; we key on the
+          # module it lives in.  A chain that bottoms out in stdlib is
+          # fixed by bumping the Buildroot host Go, not this module's
+          # go.mod, so it's reported above but doesn't fail the build.
+          # Keep the json scan and jq unguarded so a tool failure fails the
+          # gate closed; only grep's no-match exit (all-clear) is tolerated.
+          govulncheck -format json ./... > scan.json || true
+          called=$(jq -r 'select(.finding.trace[0].function != null) |
+                          .finding.trace[0].module' scan.json | sort -u)
+          vulns=$(printf '%s' "$called" | grep -vx stdlib || true)
+          if [ -n "$vulns" ]; then
+            echo "::error::Called vulnerabilities in dependencies: $(echo "$vulns" | paste -sd, -)"
+            exit 1
+          fi

src/webui/go.mod

@@ -4,14 +4,10 @@ go 1.22.0
 
 toolchain go1.22.2
 
-require (
-	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/openconfig/goyang v1.6.3 // indirect
-	github.com/pborman/getopt v1.1.0 // indirect
-)
+require github.com/openconfig/goyang v1.6.3
 
-// Local fork of goyang with YANG 1.1 fixes:
-//   - Uses.Augment: *Augment → []*Augment (multiple augments per uses)
-//   - Value: add Reference field (when { reference "..."; })
-//   - Input/Output: add Must field (must statements in rpc input/output)
-replace github.com/openconfig/goyang => ./internal/goyang
+require github.com/google/go-cmp v0.7.0 // indirect
+
+// kernelkit/goyang fork carrying our YANG 1.1 fixes: reference on Value,
+// multiple uses-augments, and must in rpc input/output.
+replace github.com/openconfig/goyang => github.com/kernelkit/goyang v1.6.4-0.20260617163501-afcacf84230c

src/webui/go.sum

@@ -1,6 +1,8 @@
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/openconfig/goyang v1.6.3 h1:9nWXBwd6b4+nZr8ni7O4zUXVhrVMXCLFz8os5YWFuo4=
-github.com/openconfig/goyang v1.6.3/go.mod h1:5WolITjek1NF8yrNERyVZ7jqjOClJTpO8p/+OwmETM4=
-github.com/pborman/getopt v1.1.0 h1:eJ3aFZroQqq0bWmraivjQNt6Dmm5M0h2JcDW38/Azb0=
-github.com/pborman/getopt v1.1.0/go.mod h1:FxXoW1Re00sQG/+KIkuSqRL/LwQgSkv7uyac+STFsbk=
+github.com/kernelkit/goyang v1.6.4-0.20260617163501-afcacf84230c h1:CFApC5asdQoMmQZ1YdP2fDX38K37vObCH8EEKeMFHE8=
+github.com/kernelkit/goyang v1.6.4-0.20260617163501-afcacf84230c/go.mod h1:5WolITjek1NF8yrNERyVZ7jqjOClJTpO8p/+OwmETM4=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/openconfig/gnmi v0.14.1 h1:qKMuFvhIRR2/xxCOsStPQ25aKpbMDdWr3kI+nP9bhMs=
+github.com/openconfig/gnmi v0.14.1/go.mod h1:whr6zVq9PCU8mV1D0K9v7Ajd3+swoN6Yam9n8OH3eT0=