.github: replace dependabot with daily test and govulncheck

Trying out Filippo's recommendation from
https://words.filippo.io/dependabot/

.github/workflows/tests.yml

@@ -1,3 +1,4 @@
+name: tests
 on:
   push:
     branches:
@@ -5,48 +6,92 @@ on:
   pull_request:
     branches:
       - "**"
+  schedule: # daily at 07:30 UTC
+    - cron: "30 7 * * *"
   workflow_dispatch:
-name: tests
-env:
-  GO111MODULE: on
-
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 jobs:
   test:
     strategy:
+      fail-fast: false
       matrix:
-        go-version:
-          # support the two most recent major go versions
-          - stable
-          - oldstable
+        go:
+          # test with the two most recent major go versions,
+          # as well as the minimum supported from go.mod.
+          - { go-version: stable }
+          - { go-version: oldstable }
+          - { go-version-file: go.mod }
         platform: [ubuntu-latest]
         include:
-          # minimum go version that works. This is not necessarily supported in
-          # any way, and will be bumped up without notice as needed.  But it at
-          # least lets us know what go version should work.
-          - go-version: 1.23
-            platform: ubuntu-latest
-
           # include windows, but only with the latest Go version, since there
           # is very little in the library that is platform specific
-          - go-version: stable
+          - go: { go-version: stable }
             platform: windows-latest
 
           # only update test coverage stats with most recent go version on linux
-          - go-version: stable
+          - go: { go-version: stable }
             platform: ubuntu-latest
             update-coverage: true
     runs-on: ${{ matrix.platform }}
-
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      - uses: actions/checkout@v6
         with:
-          go-version: ${{ matrix.go-version }}
-
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go.go-version }}
+          go-version-file: ${{ matrix.go.go-version-file }}
       - name: Run go test
         run: go test -v -race -coverprofile coverage.txt -covermode atomic ./...
-
       - name: Upload coverage to Codecov
         if: ${{ matrix.update-coverage }}
         uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
+  test-latest:
+    strategy:
+      fail-fast: false
+      matrix:
+        go:
+          - { go-version: stable }
+          - { go-version-file: go.mod }
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go.go-version }}
+          go-version-file: ${{ matrix.go.go-version-file }}
+      - uses: geomys/sandboxed-step@7d75eb49d17fdeeb3656b3a57d35932d205bcfb9 # v1.2.1
+        with:
+          run: |
+            go get -u -t ./...
+            go test -race ./...
+  staticcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+      - uses: geomys/sandboxed-step@7d75eb49d17fdeeb3656b3a57d35932d205bcfb9 # v1.2.1
+        with:
+          run: go run honnef.co/go/tools/cmd/staticcheck@latest ./...
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+      - uses: geomys/sandboxed-step@7d75eb49d17fdeeb3656b3a57d35932d205bcfb9 # v1.2.1
+        with:
+          run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...