GitHub Actions: Add govulncheck

[tangrufus]

Note: This job is failling because we actually have a vulnerability on the master branch. See https://github.com/roots/trellis-cli/security/dependabot

$ govulncheck -version
Go: go1.23.1
Scanner: govulncheck@v1.1.3
DB: https://vuln.go.dev
DB updated: 2024-09-06 20:44:22 +0000 UTC

$ git log --pretty=format:'%h %B' -n 1
b934f4a Merge pull request #466 from roots/go-1.23.1

Go 1.23

$ govulncheck -test -show verbose ./...
Scanning your code and 255 packages across 49 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2698
    Archiver Path Traversal vulnerability in github.com/mholt/archiver
  More info: https://pkg.go.dev/vuln/GO-2024-2698
  Module: github.com/mholt/archiver
    Found in: github.com/mholt/archiver@v3.1.1+incompatible
    Fixed in: N/A
    Example traces found:
      #1: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Bz2.String
      #2: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Gz.String
      #3: github/main_test.go:130:46: github.createZipFile calls archiver.NameInArchive
      #4: github/main_test.go:115:24: github.createZipFile calls archiver.NewZip
      #5: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Rar.String
      #6: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Snappy.String
      #7: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Tar.String
      #8: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarBz2.String
      #9: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarGz.String
      #10: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarLz4.String
      #11: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarSz.String
      #12: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.TarXz.String
      #13: github/main.go:56:30: github.DownloadRelease calls archiver.Unarchive
      #14: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Xz.String
      #15: github/main_test.go:122:2: github.createZipFile calls archiver.Zip.Close
      #16: github/main_test.go:117:19: github.createZipFile calls archiver.Zip.Create
      #17: cmd/new.go:245:20: cmd.NewCommand.YamlHeader calls fmt.Sprintf, which eventually calls archiver.Zip.String
      #18: github/main_test.go:140:18: github.createZipFile calls archiver.Zip.Write
      #19: github/main.go:13:2: github.init calls archiver.init

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

No other vulnerabilities found.

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.

[swalkinshaw]

I guess this is the only fix for now: go-gitea/gitea#31267

[swalkinshaw]

After #532 this finally passes 🎉