Add govulncheck to ci/cd

Add govulncheck, a conservative static analyzer that checks the
reachability of vulnerabilities.

This provides an upper bound on the actual vulnerabilities that
are applicable, and is lower-noise than generic checks that check
if a vulnerable library is used.

.github/workflows/go.yml

@@ -24,6 +24,12 @@ jobs:
       with:
         go-version-file: 'go.mod'
 
+    - id: govulncheck
+      uses: golang/govulncheck-action@v1
+      with:
+        go-version-file: 'go.mod'
+        go-package: ./...
+
     - name: Test & Vet
       run: make test vet