Add govulncheck job to lint workflow and fix matrix job result syntax

[mohammedfirdouss]

Issue

#6409

What was addressed

The PR adds two security features:

1. Dependabot configuration — automatically checks for dependency updates
2. govulncheck integration — scans Go code for known vulnerabilities

How it works

1. Dependabot (.github/dependabot.yml)

• Scans Go modules and npm packages weekly
• Monitors multiple directories (root, plugins, tools, web, docs)
• Creates PRs when updates are available
• Limits open PRs to 5 per ecosystem to avoid spam

2. govulncheck (.github/workflows/lint.yaml)

• Runs automatically on every PR and push
• Scans all Go modules in the repository
• Uses a matrix strategy to check each module separately
• Fails the CI if vulnerabilities are found
• Includes a completion job (govulncheck-completed) for branch protection rules

Testing

mohammedfirdouss#1 - see this dependabot that automatically checks for dependency updates in my repo and updates what is necessary then opens a PR.
Check out how the workflow file also catches vulnerabilities, the screenshots show evidences that this would work. I am open to reviews and suggestions.

cc: @khanhtc1202 @eeshaanSA @Warashi @ffjlabo

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Ayushmore1214]

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

[mohammedfirdouss]

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

Hmm, I think this is a good idea.

[khanhtc1202]

LGTM, thanks 👍

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.65%. Comparing base (7b5e11a) to head (1f81585).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6435      +/-   ##
==========================================
+ Coverage   28.87%   38.65%   +9.77%     
==========================================
  Files         560       11     -549     
  Lines       59955      652   -59303     
==========================================
- Hits        17313      252   -17061     
+ Misses      41321      384   -40937     
+ Partials     1321       16    -1305     

Flag	Coverage Δ
.	?
.-pkg-app-pipedv1-plugin-analysis	?
.-pkg-app-pipedv1-plugin-kubernetes	?
.-pkg-app-pipedv1-plugin-kubernetes_multicluster	?
.-pkg-app-pipedv1-plugin-scriptrun	?
.-pkg-app-pipedv1-plugin-terraform	38.65% <ø> (ø)
.-pkg-app-pipedv1-plugin-wait	?
.-pkg-app-pipedv1-plugin-waitapproval	?
.-pkg-plugin-sdk	?
.-tool-actions-gh-release	?
.-tool-actions-plan-preview	?
.-tool-codegen-protoc-gen-auth	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mohammedfirdouss]

@khanhtc1202 Merge conflict has been resolved.

[khanhtc1202]

LGTM