Like staticcheck, gosec is not part of the Go toolchain. We'll need to install it in our remote runner before we can use it.
Security isn't a style concern, so let's add these next steps after go test in the "Tests" job.
Add the install step.
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
Add another step to do a gosec check.
We want to be sure gosec works, so the first time you push the new ci.yml file to your PR branch, we are intentionally making the check fail. Don't fix the errors in the Notely project code yet.
Paste the URL of your GitHub repo into the box and run the GitHub checks.