This is a security issue.
Due to the golang dependencies being included in the repository, it is possible to include malicious changes in the vendor folder, that are very likely to be missed when submitting a PR that affects dependencies (example PR here).
While this could be addressed by no longer vendoring the dependencies and only rely on checking the committed dependencies in the go.mod and go.sum files, this task is focused on leaving the dependencies as they are. Instead this should add an additional check to be run in our golang repos CI to go mod tidy + go mod vendor and then check that git diff is empty in order to catch unexpected dependency changes.
- Add this check to the `check-golang-static` file in mendertesting.
- Some story points are allocated, accounting for issues in a few repositories, when adding this, considering the different go versions abound, etc.