chore(ci): add Diet PR metrics workflow (#2469)

* ci: add Diet PR metrics workflow

Automatically reports go.sum lines, direct dependency count, and
binary size before/after on PRs that touch go.mod or go.sum.
Results appear in GitHub Actions Step Summary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: fix heredoc indentation and dep counting per Copilot review

- Remove leading spaces from heredoc content so Step Summary renders
  as a proper markdown table instead of a code block
- Count direct deps correctly by subtracting indirect from total
  (grep '// indirect' vs grep all tab-indented lines)
- Add || echo 0 to grep -c to prevent exit code 1 on zero matches
- Add indirect deps row to the metrics table

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: add scanner-only binary size to diet metrics

Build with -tags=scanner (cmd/scanner) in addition to the full build
(cmd/vuls) to show the size impact on both build targets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: pin GitHub Actions to commit SHAs

Pin actions/checkout and actions/setup-go to full commit SHAs
to prevent supply chain attacks via tag mutation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: kotakanbe

.github/workflows/diet-check.yml

@@ -0,0 +1,64 @@
+name: Diet PR Check
+on:
+  pull_request:
+    paths: ['go.mod', 'go.sum']
+
+permissions:
+  contents: read
+
+jobs:
+  diet-metrics:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Metrics (PR branch)
+        run: |
+          echo "AFTER_GOSUM=$(wc -l < go.sum)" >> "$GITHUB_ENV"
+          echo "AFTER_DEPS=$(grep -c '// indirect' go.mod | tr -d ' ' || echo 0)" >> "$GITHUB_ENV"
+          echo "AFTER_TOTAL=$(grep -cP $'^\t' go.mod || echo 0)" >> "$GITHUB_ENV"
+          CGO_ENABLED=0 GOEXPERIMENT=jsonv2 go build -trimpath -o /tmp/vuls-after ./cmd/vuls
+          echo "AFTER_SIZE=$(stat -c%s /tmp/vuls-after)" >> "$GITHUB_ENV"
+          CGO_ENABLED=0 GOEXPERIMENT=jsonv2 go build -tags=scanner -trimpath -o /tmp/scanner-after ./cmd/scanner
+          echo "AFTER_SCANNER_SIZE=$(stat -c%s /tmp/scanner-after)" >> "$GITHUB_ENV"
+
+      - name: Metrics (base branch)
+        run: |
+          git checkout "${{ github.event.pull_request.base.sha }}"
+          echo "BEFORE_GOSUM=$(wc -l < go.sum)" >> "$GITHUB_ENV"
+          echo "BEFORE_DEPS=$(grep -c '// indirect' go.mod | tr -d ' ' || echo 0)" >> "$GITHUB_ENV"
+          echo "BEFORE_TOTAL=$(grep -cP $'^\t' go.mod || echo 0)" >> "$GITHUB_ENV"
+          CGO_ENABLED=0 GOEXPERIMENT=jsonv2 go build -trimpath -o /tmp/vuls-before ./cmd/vuls
+          echo "BEFORE_SIZE=$(stat -c%s /tmp/vuls-before)" >> "$GITHUB_ENV"
+          CGO_ENABLED=0 GOEXPERIMENT=jsonv2 go build -tags=scanner -trimpath -o /tmp/scanner-before ./cmd/scanner
+          echo "BEFORE_SCANNER_SIZE=$(stat -c%s /tmp/scanner-before)" >> "$GITHUB_ENV"
+
+      - name: Report
+        run: |
+          before_direct=$((BEFORE_TOTAL - BEFORE_DEPS))
+          after_direct=$((AFTER_TOTAL - AFTER_DEPS))
+          delta_gosum=$((AFTER_GOSUM - BEFORE_GOSUM))
+          delta_direct=$((after_direct - before_direct))
+          delta_indirect=$((AFTER_DEPS - BEFORE_DEPS))
+          delta_kb=$(( (AFTER_SIZE - BEFORE_SIZE) / 1024 ))
+          delta_scanner_kb=$(( (AFTER_SCANNER_SIZE - BEFORE_SCANNER_SIZE) / 1024 ))
+          before_mb=$(awk "BEGIN{printf \"%.1f\", $BEFORE_SIZE/1048576}")
+          after_mb=$(awk "BEGIN{printf \"%.1f\", $AFTER_SIZE/1048576}")
+          before_scanner_mb=$(awk "BEGIN{printf \"%.1f\", $BEFORE_SCANNER_SIZE/1048576}")
+          after_scanner_mb=$(awk "BEGIN{printf \"%.1f\", $AFTER_SCANNER_SIZE/1048576}")
+          cat <<EOF >> "$GITHUB_STEP_SUMMARY"
+## Diet Metrics
+| Metric | Before | After | Delta |
+|--------|--------|-------|-------|
+| go.sum lines | $BEFORE_GOSUM | $AFTER_GOSUM | ${delta_gosum} |
+| Direct deps | ${before_direct} | ${after_direct} | ${delta_direct} |
+| Indirect deps | $BEFORE_DEPS | $AFTER_DEPS | ${delta_indirect} |
+| Binary size (full) | ${before_mb}MB | ${after_mb}MB | ${delta_kb}KB |
+| Binary size (scanner) | ${before_scanner_mb}MB | ${after_scanner_mb}MB | ${delta_scanner_kb}KB |
+EOF