build(dep): Ignore known dependency failure in nancy (#1378)

Currently nancy is always failed, and we seem to ignore it completely.
This reduces the value of having security scanning significantly.
Ideally, the underlying issue should be fixed, however it will require
long time for external collaboration.

This commit is to ignore two known dependency failures.

Signed-off-by: Tam Mach <[email protected]>

Author: sayboras

.github/workflows/pr-extra.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
-      # We cannot use nancy-github-action because it is outdated, so it's better to use the latest
-      # docker image for the validation
-      - name: nancy
-        run: go list -json -m all | docker run -i sonatypecommunity/nancy:v0.3
+      - name: Run go list
+        run: go list -json -m all > go.list
+      - name: Nancy
+        uses: sonatype-nexus-community/nancy-github-action@master

.nancy-ignore

@@ -0,0 +1,11 @@
+# Skip for golang/golang.org/x/[email protected]
+CVE-2018-17848
+CVE-2018-17143
+CVE-2018-17847
+CVE-2018-17142
+CVE-2018-17846
+
+# Skip for indirect dependency github.com/coreos/[email protected]
+CVE-2020-15114
+CVE-2020-15115
+CVE-2020-15136