CI does not run staticcheck or govulncheck

[dolph]

Summary

The ci.yml workflow runs go vet, go build, and go test -race but no third-party static analysis:

• staticcheck would catch a number of issues already documented elsewhere — e.g., the deprecated rand.Seed call in find_replace.go:32 (deprecated since Go 1.20), use of strings.Replace(s, find, repl, -1) where strings.ReplaceAll is now idiomatic, etc.
• govulncheck would scan the dependency tree against the Go vulnerability database. Even with one external dep (golang.org/x/tools), it's the cheapest extra signal available.

The golangci-lint.yml workflow exists but (per the companion issue about retired action versions) is using a deprecated action; even if it ran, the default linter set is conservative and doesn't include govulncheck.

Impact (Maintainer / Security: Medium)

• Whole class of API-deprecation and known-CVE issues go undetected in CI.
• Catching these in CI is cheaper than catching them in review.

Suggested Fix

Add two steps to ci.yml (or extend the golangci-lint workflow once it's modernized):

- name: staticcheck
  uses: dominikh/staticcheck-action@v1
  with: { version: latest, install-go: false }

- name: govulncheck
  uses: golang/govulncheck-action@v1

Optionally also gofmt -l . | tee /dev/stderr | (! read) to enforce formatting, since neither vet nor staticcheck enforces gofmt.

Files

• .github/workflows/ci.yml