build: Run govulncheck on all builds (#2372)

Author: kyleconroy

.github/workflows/ci.yml

@@ -50,7 +50,6 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-
     - uses: actions/setup-go@v4
       with:
         go-version: '1.20'
@@ -83,3 +82,15 @@ jobs:
       run: ./scripts/report.sh
       env:
         BUILDKITE_ANALYTICS_TOKEN: ${{ secrets.BUILDKITE_ANALYTICS_TOKEN }}
+
+  vuln_check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.20'
+    - run: go install golang.org/x/vuln/cmd/govulncheck@latest
+    - run: govulncheck ./...

devenv.nix

@@ -7,6 +7,7 @@
     pkgs.go
     pkgs.git
     pkgs.git-cliff
+    pkgs.govulncheck
     pkgs.python311
   ];
 }