Check for vulnerabilities

.github/workflows/govulncheck.yml

@@ -0,0 +1,38 @@
+---
+
+name: Vulnerability checks
+
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  deployments: read
+  issues: read
+  discussions: read
+  pull-requests: read
+  repository-projects: read
+  security-events: read
+  statuses: read
+
+on:
+  push:
+  pull_request:
+  schedule: # daily at 10:22 UTC
+    - cron: '22 10 * * *'
+  workflow_dispatch:
+
+jobs:
+  vuln:
+    name: Test vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        submodules: recursive
+
+    - uses: jdx/mise-action@v3
+      name: Install mise
+
+    - name: Run tests
+      run: mise tasks run vuln

.mise.toml

@@ -1,6 +1,7 @@
 [tools]
 "go:golang.org/x/pkgsite/cmd/pkgsite" = "latest"
 "go:golang.org/x/tools/gopls" = "latest"
+"go:golang.org/x/vuln/cmd/govulncheck" = "latest"
 "go:mvdan.cc/gofumpt" = "latest"
 go = "latest"
 golangci-lint = "latest"
@@ -26,6 +27,10 @@ run = [
 description = "Run linter"
 run = "golangci-lint run"
 
+[tasks.vuln]
+description = "Test for vulnerabilities"
+run = "govulncheck ./..."
+
 [tasks.test]
 description = "Run tests"
 run = "go test -v ./..."

mise.lock

@@ -15,6 +15,10 @@ backend = "go:golang.org/x/pkgsite/cmd/pkgsite"
 version = "0.21.1"
 backend = "go:golang.org/x/tools/gopls"
 
+[[tools."go:golang.org/x/vuln/cmd/govulncheck"]]
+version = "1.1.4"
+backend = "go:golang.org/x/vuln/cmd/govulncheck"
+
 [[tools."go:mvdan.cc/gofumpt"]]
 version = "0.9.2"
 backend = "go:mvdan.cc/gofumpt"