ci/gha: add govulncheck job

This is to ensure our minimal dependencies do not have known
vulnerabilities.

NOTE we do not specify Go version to be used here to avoid reporting
vulnerabilities in stdlib which we're not interested in here.

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

.github/workflows/validate.yml

@@ -75,11 +75,17 @@ jobs:
         go-version: "${{ env.GO_VERSION }}"
     - run: go mod tidy --diff
 
+  govulncheck:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: golang/govulncheck-action@v1
+
   all-done:
     needs:
       - codespell
       - deps
       - go-fix
+      - govulncheck
       - lint
       - space-at-eol
     runs-on: ubuntu-24.04