Add CI check for vulnerabilities affecting Go code

[fxamacker]

Description

Add a GitHub Actions workflow to run govulncheck.

According to govulncheck docs:

Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.

By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.

More info at:

• https://go.dev/security/vuln
• https://github.com/golang/vuln

Closes #293

---

• [x] Targeted PR against main branch
• [x] Linked to Github issue with discussion and accepted design OR link to spec that describes this work
• [x] Code follows the standards mentioned here
• [ ] Updated relevant documentation
• [x] Re-reviewed Files changed in the Github PR explorer
• [x] Added appropriate labels

[turbolent]

Good idea, but it might be better to do this in dapperlabs/atree-internal

[fxamacker]

Good idea, but it might be better to do this in dapperlabs/atree-internal

Hey @turbolent that sounds good, @j1010001 made similar comment.

Maybe we can setup a single private repo to govulncheck multiple public repos. Someone in Flow Admins would seem better suited for this task, I'll ask @j1010001.

If we are also moving CodeQL and all similar vulnerability scanning off of public repos, then maybe we can use the same private repo for those too.