ci: add periodic security-scan cron workflow (#72)

[ilmoniemi]

What

Adds .github/workflows/security-scan.yml — a scheduled workflow that re-runs the same two security scanners that gate PRs (image-scan Trivy from #68 and govulncheck from #41) against the latest main SHA, on a daily cron (06:00 UTC) plus workflow_dispatch for manual re-runs.

The goal is to close the post-merge invisibility window: CVEs disclosed today against deps that haven't changed since the last PR otherwise produce no signal until someone next bumps the affected dep. The cron caps that window at ~24h via a red row in the Actions list. Auto-issue filing on top of that signal is deferred to #73.

Issue

Closes #72.

Testing

• go vet ./... and go test -race ./... clean (no Go code touched, but verified).
• Pin lockstep with ci.yml verified mechanically:
  • Trivy action SHA: ed142fd0673e97e23eac54620cfb913e5ce36c25 (tracks aquasecurity/trivy-action@v0.36.0) — matches ci.yml line 70.
  • govulncheck@v1.1.4 — matches ci.yml line 43.
• Post-merge verification (per spec § Testing strategy, AC relay: frame forwarding loop — wrap/unwrap routing envelope, route by server-id and conn_id #6): trigger workflow_dispatch against main from the Actions UI and confirm both jobs complete green. The vulnerable-state path is exercised by relay: auto-file GitHub issue when periodic security-scan finds a regression #73's auto-issue test.

Architecture compliance

Follows docs/specs/architecture/72-periodic-security-scan.md verbatim:

• Single new file, no edits to ci.yml, no reusable workflow / composite action (clarity over DRY at v1, per AC relay: WS upgrade for /v1/client — accept phone connection, look up server-id, register #5).
• Two parallel jobs (image-scan, govulncheck) — independent surfaces produce independent check entries.
• permissions: contents: read at workflow level + job level on each job (belt-and-suspenders mirror of ci.yml). No issues: write — deferred to relay: auto-file GitHub issue when periodic security-scan finds a regression #73.
• gosec intentionally not ported (spec § Out of scope: source-static-analysis output doesn't change on unchanged main).
• # Tracks: comments preserved on both pins per the lockstep convention.
• Explicit ref: main on actions/checkout so a workflow_dispatch from a feature branch still scans main (AC feat(relay): routing-envelope wrapper type (#1) #2).

🤖 Generated with Claude Code

[ilmoniemi]

Code Review: #72

Decision: PASS

Findings

None.

Summary

The PR adds a single new file .github/workflows/security-scan.yml that mirrors the architect's spec verbatim. Verified against ci.yml:

• Pin lockstep with ci.yml:
  • Trivy action aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 — matches ci.yml:70 ✓
  • # Tracks: aquasecurity/trivy-action@v0.36.0 — matches ci.yml:63 ✓
  • golang.org/x/vuln/cmd/govulncheck@v1.1.4 — matches ci.yml:43 ✓
  • # Tracks: golang.org/x/vuln/cmd/govulncheck@v1.1.4 — matches ci.yml:35 ✓
  • actions/checkout@v6, actions/setup-go@v6 with go-version: '1.26.x' — matches ci.yml ✓
• Trivy flag parity with ci.yml's image-scan job (AC feat(relay): routing-envelope wrapper type (#1) #2): format: table, severity: CRITICAL,HIGH, ignore-unfixed: true, vuln-type: os,library, exit-code: '1' all present ✓
• gosec correctly NOT ported — spec § Out of scope rationale honoured ✓
• Schedule: 0 6 * * * daily + workflow_dispatch: (no inputs) ✓
• Permissions (AC relay: WS upgrade for /v1/server — accept binary connection, validate headers, claim server-id #4): workflow-level permissions: contents: read, job-level contents: read on both jobs, no issues: write (deferred to relay: auto-file GitHub issue when periodic security-scan finds a regression #73) ✓
• Explicit ref: main on checkout — guarantees the scan targets main even on a feature-branch workflow_dispatch ✓
• Two parallel jobs, no needs: — independent surfaces produce independent check entries per spec § Why two parallel jobs ✓

Security review (label: security-sensitive)

1. Architect's security-review section present. Spec docs/specs/architecture/72-periodic-security-scan.md § Security review exists with verdict PASS and the eight-section findings list (trust boundaries, secrets, file ops, subprocess, crypto, network, logs, concurrency, threat-model alignment) plus five adversarial scenarios. ✓
2. Diff matches the spec's findings. Walked the security goggles patterns:
   • Tokens / secrets: no ${{ secrets.* }} references, no token logging.
   • File operations: none beyond docker build (runner-local) and go install (runner-local).
   • Subprocess: only fixed command strings; the one interpolation ${{ github.sha }} is a 40-char hex SHA, shell-safe.
   • Crypto: no new crypto; inherits the commit-SHA pin (Trivy) and Go module checksum-DB (govulncheck) controls.
   • Network: no listeners; egress targets identical to ci.yml.
   • gosec / govulncheck: workflow adds no Go code, no // #nosec annotations.

CI checks test is green; security and image-scan were still pending at review time — both will be exercised again post-merge via the workflow_dispatch step in the AC #6 verification plan.

Recommend merge.