Add govulncheck to CI

[aarongable]

Summary: The Go security team has just released a new database of known security vulnerabilities in importable public packages, and an associated tool to check if you call the affected functions. We should use it.

Steps to reproduce: Run ./t.sh -l

Expected result: Get reports of known security vulnerabilities in functions that we (transitively) call.

Actual result: A bunch of really good linters run, but nothing that compares against known CVEs.